Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-4864

Kafka Secure Migrator tool doesn't secure all the nodes

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 0.10.1.0, 0.10.1.1, 0.10.2.0
    • Fix Version/s: 0.10.2.1, 0.11.0.0
    • Component/s: None
    • Labels:
      None
    • Flags:
      Important

      Description

      It seems that the secure nodes as referred by ZkUtils.scala are the following:

      https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/utils/ZkUtils.scala#L201

      A couple things:

      • the list is highly outdated, and for example the most important nodes such as kafka-acls don't get secured. That's a huge security risk. Would it be better to just secure all the nodes recursively from the given root?
      • the root of some nodes aren't secured. Ex: /brokers (but many others).

      The result is the following after running the tool:
      zookeeper-security-migration --zookeeper.acl secure --zookeeper.connect zoo1:2181/kafka-test

      [zk: localhost:2181(CONNECTED) 9] getAcl /kafka-test/brokers
      'world,'anyone
      : cdrwa
      [zk: localhost:2181(CONNECTED) 11] getAcl /kafka-test/brokers/ids
      'world,'anyone
      : r
      'sasl,'myzkclient@EXAMPLE.COM
      : cdrwa
      [zk: localhost:2181(CONNECTED) 16] getAcl /kafka-test/kafka-acl
      'world,'anyone
      : cdrwa

      That seems pretty bad to be honest... A fast enough ZkClient could delete some root nodes, and create the nodes they like before the Acls get set.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                stephane.maarek@gmail.com Stephane Maarek
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: