You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Phil Zampino (JIRA)" <ji...@apache.org> on 2017/11/30 15:59:00 UTC
[jira] [Updated] (KNOX-1129) Remote Configuration Monitor Should
Define The Entries It Monitors If They're Not Yet Defined
[ https://issues.apache.org/jira/browse/KNOX-1129?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Phil Zampino updated KNOX-1129:
-------------------------------
Attachment: KNOX-1129.patch
KNOX-1129.patch attached:
* The remote configuration monitor creates the /knox/config/... entries in the remote registry if they do NOT already exist.
** If the associated client has auth configured, the entries created by the monitor will be writable by any authenticated user, but readable by anyone.
** If the associated client does NOT have auth configured, the entries created by the monitor will have the default ZK permissions, which means everyone has unrestricted permissions for these nodes.
* If the entries DO already exists with unrestricted write permissions
** A message indicating that the entries are suspect will be logged
** If the associated client has authentication configured, the monitor will terminate because it deems the content to be potentially untrusted.
When the entries are created by the monitor, write permissions are granted to "any authenticated user" to allow for easier integration of other populating entities (e.g., Ambari); so long as that entity can be authenticated by ZooKeeper, it will be permitted to modify Knox config therein.
Currently, the identification of the "Anyone Can Write" condition is not completely abstract; however, since the only existing implementation of the monitor is for ZooKeeper, I think this is acceptable.
Whether or not the monitor should terminate when it determines this condition (via a client for which auth has been configured) is up for discussion.
> Remote Configuration Monitor Should Define The Entries It Monitors If They're Not Yet Defined
> ---------------------------------------------------------------------------------------------
>
> Key: KNOX-1129
> URL: https://issues.apache.org/jira/browse/KNOX-1129
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.14.0
> Reporter: Phil Zampino
> Assignee: Phil Zampino
> Fix For: 0.15.0
>
> Attachments: KNOX-1129.patch
>
>
> Currently, if the remote configuration monitor finds that the /knox/config/shared-providers and/or /knox/config/descriptors entries (e.g., znodes) are not present (or are otherwise inaccessible), it determines that it cannot function, and it ceases any attempt at monitoring.
> For those cases where the entries do not yet exist, the monitor can define them. If the client employed by the monitor does not require authentication, then the new entries will be created without any meaningful ACLs applied. If the client has been authenticated, then the ACLs should be such that the authenticated principal has write permissions, while everyone else has read-only permissions.
> Whether or not the read permissions should be more restrictive is yet to be determined; Other projects in the ecosystem seem to allow everyone read access to their respective ZooKeeper content.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)