kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Balint Molnar (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-4814) ZookeeperLeaderElector not respecting zookeeper.set.acl
Date Wed, 12 Apr 2017 11:00:47 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-4814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15965664#comment-15965664

Balint Molnar commented on KAFKA-4814:

[~rsivaram] I think if we change JaasUtils.isZkSecurityEnabled function to controllerContext.zkUtils.isSecure
does the trick https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/ZookeeperLeaderElector.scala#L81.
But I am not 100% sure about that. On the other hand maybe it is a good to wait until KAFKA-5028
is merged.

> ZookeeperLeaderElector not respecting zookeeper.set.acl
> -------------------------------------------------------
>                 Key: KAFKA-4814
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4814
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions:
>            Reporter: Stevo Slavic
>            Assignee: Rajini Sivaram
>              Labels: newbie
>             Fix For:
> By [migration guide|https://kafka.apache.org/documentation/#zk_authz_migration] for enabling
ZooKeeper security on an existing Apache Kafka cluster, and [broker configuration documentation|https://kafka.apache.org/documentation/#brokerconfigs]
for {{zookeeper.set.acl}} configuration property, when this property is set to false Kafka
brokers should not be setting any ACLs on ZooKeeper nodes, even when JAAS config file is provisioned
to broker. 
> Problem is that there is broker side logic, like one in {{ZookeeperLeaderElector}} making
use of {{JaasUtils#isZkSecurityEnabled}}, which does not respect this configuration property,
resulting in ACLs being set even when there's just JAAS config file provisioned to Kafka broker
while {{zookeeper.set.acl}} is set to {{false}}.
> Notice that {{JaasUtils}} is in {{org.apache.kafka.common.security}} package of {{kafka-clients}}
module, while {{zookeeper.set.acl}} is broker side only configuration property.
> To make it possible without downtime to enable ZooKeeper authentication on existing cluster,
it should be possible to have all Kafka brokers in cluster first authenticate to ZooKeeper
cluster, without ACLs being set. Only once all ZooKeeper clients (Kafka brokers and others)
are authenticating to ZooKeeper cluster then ACLs can be started being set.

This message was sent by Atlassian JIRA

View raw message