kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mr Kafka (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KAFKA-7710) Poor Zookeeper ACL management with Kerberos
Date Thu, 06 Dec 2018 02:53:00 GMT
Mr Kafka created KAFKA-7710:
-------------------------------

             Summary: Poor Zookeeper ACL management with Kerberos
                 Key: KAFKA-7710
                 URL: https://issues.apache.org/jira/browse/KAFKA-7710
             Project: Kafka
          Issue Type: Bug
            Reporter: Mr Kafka


I have seen many organizations run many Kafka clusters. The simplest scenario is you may have
a *kafka.dev.example.com* cluster and a *kafka.prod.example.com* cluster. The more extreme
examples is teams with in an organization may run their own individual clusters.

 

When you enable Zookeeper ACLs in Kafka the ACL looks to be set to the principal (SPN) that
is used to authenticate against Zookeeper.

For example I have brokers:
 * *01.kafka.dev.example.com*
 * *02.kafka.dev.example.com***
 * *03.kafka.dev.example.com***

On *01.kafka.dev.example.com* **I run the below the security-migration tool:
{code:java}
KAFKA_OPTS="-Djava.security.auth.login.config=/etc/kafka/kafka_server_jaas.conf -Dzookeeper.sasl.clientconfig=ZkClient"
zookeeper-security-migration --zookeeper.acl=secure --zookeeper.connect=a01.zookeeper.dev.example.com:2181
{code}
I end up with ACL's in Zookeeper as below:
{code:java}
# [zk: localhost:2181(CONNECTED) 2] getAcl /cluster
# 'sasl,'kafka/01.kafka.dev.example.com@EXAMPLE
# : cdrwa
{code}
This ACL means no other broker in the cluster can access the znode in Zookeeper except broker
01.

To resolve the issue you need to set the below properties in Zookeeper's config:
{code:java}
kerberos.removeHostFromPrincipal = true
kerberos.removeRealmFromPrincipal = true
{code}
Now when Kafka set ACL's they are stored as:

 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message