Details
Critical Description
It seems that the secure nodes as referred by ZkUtils.scala are the following:
https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/utils/ZkUtils.scala#L201
A couple things:
- the list is highly outdated, and for example the most important nodes such as kafka-acls don't get secured. That's a huge security risk. Would it be better to just secure all the nodes recursively from the given root?
- the root of some nodes aren't secured. Ex: /brokers (but many others).
The result is the following after running the tool:
zookeeper-security-migration --zookeeper.acl secure --zookeeper.connect zoo1:2181/kafka-test
[zk: localhost:2181(CONNECTED) 9] getAcl /kafka-test/brokers
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 11] getAcl /kafka-test/brokers/ids
'world,'anyone
: r
'sasl,'myzkclient@EXAMPLE.COM
: cdrwa
[zk: localhost:2181(CONNECTED) 16] getAcl /kafka-test/kafka-acl
'world,'anyone
: cdrwa
That seems pretty bad to be honest... A fast enough ZkClient could delete some root nodes, and create the nodes they like before the Acls get set.
Attachments
Issue Links
- is duplicated by
-
KAFKA-4867 zookeeper-security-migration.sh does not clear ACLs from all nodes
-
- Resolved
-
- links to
