You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@zookeeper.apache.org by Randgalt <gi...@git.apache.org> on 2017/05/09 14:22:18 UTC

[GitHub] zookeeper pull request #249: [ZOOKEEPER-2779] Branch 3.5 backport

GitHub user Randgalt opened a pull request:

    https://github.com/apache/zookeeper/pull/249

    [ZOOKEEPER-2779] Branch 3.5 backport

    Branch 3.5 backport of https://github.com/apache/zookeeper/pull/248

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/Randgalt/zookeeper ZOOKEEPER-2779-3.5

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/zookeeper/pull/249.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #249
    
----
commit 5b59ee2e2cbcc65a76b76cf4fc5f0b6c6a92a980
Author: randgalt <jo...@jordanzimmerman.com>
Date:   2017-05-09T14:12:41Z

    Provide a means to disable setting of the Read Only ACL for the reconfig node added in ZOOKEEPER-2014. That change made it very cumbersome to use the reconfig feature and also could worsen security as the entire ZK database is open to "super" user while the reconfig node is being changed (the only possible method as of ZOOKEEPER-2014).

----


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zookeeper pull request #249: [ZOOKEEPER-2779] Branch 3.5 backport

Posted by hanm <gi...@git.apache.org>.

Github user hanm commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/249#discussion_r119240556
  
    --- Diff: src/docs/src/documentation/content/xdocs/zookeeperReconfig.xml ---
    @@ -338,7 +338,10 @@ server.3=125.23.63.25:2782:2785:participant</programlisting>
             environment (i.e. behind company firewall). For those users who want to use reconfiguration feature but
             don't want the overhead of configuring an explicit list of authorized user for reconfig access checks,
             they can set <ulink url="zookeeperAdmin.html#sc_authOptions">"skipACL"</ulink> to "yes" which will
    -        skip ACL check and allow any user to reconfigure cluster.
    +        skip ACL check and allow any user to reconfigure cluster. A more secure mechanism is also provided.
    --- End diff --
    
    Please remove the "A more secure mechanism is also provided." This approach is no safer than the offline superuser approach per discussion in JIRA. 


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---

[GitHub] zookeeper pull request #249: [ZOOKEEPER-2779] Branch 3.5 backport

Posted by Randgalt <gi...@git.apache.org>.

Github user Randgalt commented on a diff in the pull request:

    https://github.com/apache/zookeeper/pull/249#discussion_r119611508
  
    --- Diff: src/docs/src/documentation/content/xdocs/zookeeperReconfig.xml ---
    @@ -338,7 +338,10 @@ server.3=125.23.63.25:2782:2785:participant</programlisting>
             environment (i.e. behind company firewall). For those users who want to use reconfiguration feature but
             don't want the overhead of configuring an explicit list of authorized user for reconfig access checks,
             they can set <ulink url="zookeeperAdmin.html#sc_authOptions">"skipACL"</ulink> to "yes" which will
    -        skip ACL check and allow any user to reconfigure cluster.
    +        skip ACL check and allow any user to reconfigure cluster. A more secure mechanism is also provided.
    --- End diff --
    
    I removed it - however, the sentence was referring to the "offline" superuser approach as being more secure.


---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---