Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-4943

SCRAM secret's should be better protected with Zookeeper ACLs

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 0.10.2.0
    • Fix Version/s: 0.10.2.1, 0.11.0.0
    • Component/s: security
    • Labels:
      None

      Description

      With the new SCRAM authenticator the secrets are stored in Zookeeper:

      get /kafka/config/users/alice
      {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}}
      

      These are stored without any ACL, and zookeeper-security-migration.sh does not seem to change that either:

      getAcl /kafka/config/users/alice
      'world,'anyone
      : cdrwa
      
      getAcl /kafka/config/users
      'world,'anyone
      : cdrwa
      
      getAcl /kafka
      'world,'anyone
      : r
      'sasl,'bob
      : cdrwa
      
      getAcl /kafka/config/changes
      'world,'anyone
      : r
      'sasl,'bob
      : cdrwa
      
      

      The above output is after running security migrator, for some reason /kafka/config/users is ignored, but others are fixed..

      Even if these where to be stored with secure ZkUtils#DefaultAcls, they would be world readable.

      From my (limited) point of view, they should be readable by Kafka only.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rsivaram Rajini Sivaram
                Reporter:
                jstrom Johan Ström
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: