Details
Description
With the new SCRAM authenticator the secrets are stored in Zookeeper:
get /kafka/config/users/alice {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}}
These are stored without any ACL, and zookeeper-security-migration.sh does not seem to change that either:
getAcl /kafka/config/users/alice 'world,'anyone : cdrwa getAcl /kafka/config/users 'world,'anyone : cdrwa getAcl /kafka 'world,'anyone : r 'sasl,'bob : cdrwa getAcl /kafka/config/changes 'world,'anyone : r 'sasl,'bob : cdrwa
The above output is after running security migrator, for some reason /kafka/config/users is ignored, but others are fixed..
Even if these where to be stored with secure ZkUtils#DefaultAcls, they would be world readable.
From my (limited) point of view, they should be readable by Kafka only.
Attachments
Issue Links
- links to