[
https://issues.apache.org/jira/browse/DRILL-5671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16678180#comment-16678180
]
ASF GitHub Bot commented on DRILL-5671:
---------------------------------------
arina-ielchiieva commented on a change in pull request #1467: DRILL-5671: Set
secure ACLs (Access Control List) for Drill ZK nodes in a secure cluster
URL: https://github.com/apache/drill/pull/1467#discussion_r231489985
##########
File path: distribution/src/resources/drill-override-example.conf
##########
@@ -72,6 +72,22 @@ drill.exec: {
count: 7200,
delay: 500
}
+ # This option controls whether Drill specifies ACLs when it creates
znodes.
+ # If this is 'false', then anyone has all privileges for all Drill
znodes.
+ # This corresponds to ZOO_OPEN_ACL_UNSAFE.
+ # Setting this flag to 'true' enables the provider specified in
"acl_provider"
+ apply_secure_acl: false,
+
+ # This option specified the ACL provider to be used by Drill.
+ # Custom ACL providers can be provided in the Drillbit classpath and
Drill can be made to pick them
+ # by changing this option.
+ # Note: This option has no effect if "apply_secure_acl" is 'false'
+ #
+ # The default "creator-all" will setup ACLs such that
+ # - Only the Drillbit user will have all privileges(create, delete,
read, write, admin). Same as ZOO_CREATOR_ALL_ACL
+ # - Other users will only be able to read the cluster-discovery(list
of Drillbits in the cluster) znodes.
+ #
+ acl_provider: "creator-all"
Review comment:
I think we should also mention about "open provider". At least "creator-all"
and "open" are available in Drill.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Set secure ACLs (Access Control List) for Drill ZK nodes in a secure cluster
> ----------------------------------------------------------------------------
>
> Key: DRILL-5671
> URL: https://issues.apache.org/jira/browse/DRILL-5671
> Project: Apache Drill
> Issue Type: New Feature
> Components: Server
> Reporter: Karthikeyan Manivannan
> Assignee: Karthikeyan Manivannan
> Priority: Major
> Labels: doc-impacting
> Fix For: 1.15.0
>
>
> All Drill ZK nodes, currently, are assigned a default [world:all] ACL i.e.
> anyone gets to do CDRWA(create, delete, read, write, admin access). This
> means that even on a secure cluster anyone can perform all CRDWA actions on
> the znodes.
> This should be changed such that:
> - In a non-secure cluster, Drill will continue using the current default
> [world:all] ACL
> - In a secure cluster, all nodes should have an [authid: all] ACL i.e. the
> authenticated user that created the znode gets full access. The discovery
> znodes i.e. the znodes with the list of Drillbits will have an additional
> [world:read] ACL, i.e. the list of Drillbits will be readable by anyone.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
