[KAFKA-4864] Kafka Secure Migrator tool doesn't secure all the nodes - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 0.10.1.0, 0.10.1.1, 0.10.2.0
Fix Version/s: 0.10.2.1, 0.11.0.0
Component/s: None
Labels:
None

Flags:

Important

Description

It seems that the secure nodes as referred by ZkUtils.scala are the following:

https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/utils/ZkUtils.scala#L201

A couple things:

the list is highly outdated, and for example the most important nodes such as kafka-acls don't get secured. That's a huge security risk. Would it be better to just secure all the nodes recursively from the given root?
the root of some nodes aren't secured. Ex: /brokers (but many others).

The result is the following after running the tool:
zookeeper-security-migration --zookeeper.acl secure --zookeeper.connect zoo1:2181/kafka-test

[zk: localhost:2181(CONNECTED) 9] getAcl /kafka-test/brokers
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 11] getAcl /kafka-test/brokers/ids
'world,'anyone
: r
'sasl,'myzkclient@EXAMPLE.COM
: cdrwa
[zk: localhost:2181(CONNECTED) 16] getAcl /kafka-test/kafka-acl
'world,'anyone
: cdrwa

That seems pretty bad to be honest... A fast enough ZkClient could delete some root nodes, and create the nodes they like before the Acls get set.

Attachments

Issue Links

is duplicated by

KAFKA-4867 zookeeper-security-migration.sh does not clear ACLs from all nodes

Resolved

links to

GitHub Pull Request #2655

Activity

People

Assignee:: Unassigned

Reporter:: Stephane Maarek

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 08/Mar/17 05:44

Updated:: 14/Mar/17 09:39

Resolved:: 14/Mar/17 09:39