ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-1759

Adding ability to allow READ operations for authenticated users, versus keeping ACLs wide open for READ

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 3.4.5
    • Fix Version/s: 3.5.0
    • Component/s: server
    • Labels:
      None
    • Environment:

      Java, SASL authentication, security

      Description

      Today when using SASLAuthenticationProvider to authenticate Zookeeper Clients access to the data based on ACLS set on znodes there is no other choice but to set READ ACLs to be "world", "anyone" with the way how

      public boolean matches(String id,String aclExpr)
      

      is currently implemented. It means that any unauthenticated user can read the data when application needs to make sure that not only creator of a znode can read the content.
      Proposal is to introduce new property: "zookeeper.readUser" that if incoming id matches to the value of that property it will be allowed to proceed in "match" method.
      So creator of a znode instead of

      ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, Ids.AUTH_IDS);
      ACL acl2 = new ACL(Perms.READ, Ids.ANYONE_ID_UNSAFE);
      

      will need to do

      ACL acl1 = new ACL(Perms.ADMIN | Perms.CREATE | Perms.WRITE | Perms.DELETE, Ids.AUTH_IDS);
      ACL acl2 = new ACL(Perms.READ, new Id("sasl", "anyone"));
      

      Assuming that value of "zookeeper.readUser" property was "anyone".
      This way at least READ access on corresponding znode has to be authenticated.

      1. ZOOKEEPER-1759-1.patch
        1 kB
        Yuliya Feldman
      2. ZOOKEEPER-1759-1.patch
        2 kB
        Yuliya Feldman
      3. ZOOKEEPER-1759.patch
        4 kB
        Yuliya Feldman
      4. ZOOKEEPER-1759.patch
        4 kB
        Yuliya Feldman
      5. ZOOKEEPER-1759.patch
        3 kB
        Yuliya Feldman
      6. ZOOKEEPER-1759.patch
        4 kB
        Yuliya Feldman
      7. TEST-org.apache.zookeeper.test.SaslAuthDesignatedClientTest.txt
        39 kB
        Flavio Junqueira

        Activity

          People

          • Assignee:
            Yuliya Feldman
            Reporter:
            Yuliya Feldman
          • Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development