Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-4943

SCRAM secret's should be better protected with Zookeeper ACLs

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 0.10.2.0
    • 0.10.2.1, 0.11.0.0
    • security
    • None

    Description

      With the new SCRAM authenticator the secrets are stored in Zookeeper:

      get /kafka/config/users/alice
      {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}}
      

      These are stored without any ACL, and zookeeper-security-migration.sh does not seem to change that either:

      getAcl /kafka/config/users/alice
      'world,'anyone
      : cdrwa
      
      getAcl /kafka/config/users
      'world,'anyone
      : cdrwa
      
      getAcl /kafka
      'world,'anyone
      : r
      'sasl,'bob
      : cdrwa
      
      getAcl /kafka/config/changes
      'world,'anyone
      : r
      'sasl,'bob
      : cdrwa
      
      

      The above output is after running security migrator, for some reason /kafka/config/users is ignored, but others are fixed..

      Even if these where to be stored with secure ZkUtils#DefaultAcls, they would be world readable.

      From my (limited) point of view, they should be readable by Kafka only.

      Attachments

        Issue Links

          Activity

            People

              rsivaram Rajini Sivaram
              jstrom Johan Ström
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: