[KAFKA-4943] SCRAM secret's should be better protected with Zookeeper ACLs - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 0.10.2.0
Fix Version/s: 0.10.2.1, 0.11.0.0
Component/s: security
Labels:
None

Description

With the new SCRAM authenticator the secrets are stored in Zookeeper:

get /kafka/config/users/alice
{"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}}

These are stored without any ACL, and zookeeper-security-migration.sh does not seem to change that either:

getAcl /kafka/config/users/alice
'world,'anyone
: cdrwa

getAcl /kafka/config/users
'world,'anyone
: cdrwa

getAcl /kafka
'world,'anyone
: r
'sasl,'bob
: cdrwa

getAcl /kafka/config/changes
'world,'anyone
: r
'sasl,'bob
: cdrwa

The above output is after running security migrator, for some reason /kafka/config/users is ignored, but others are fixed..

Even if these where to be stored with secure ZkUtils#DefaultAcls, they would be world readable.

From my (limited) point of view, they should be readable by Kafka only.