kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Flavio Junqueira <...@apache.org>
Subject Re: ZkSecurityMigrator incorrectly applies ACLs to entire ZooKeeper tree?
Date Wed, 06 Jan 2016 09:34:39 GMT
Hi Matthew,

If you're sharing a ZK ensemble and you have a specific path for the Kafka znodes, then you
need to use a chroot for this. Just pass it along with the connect string:

http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#ch_zkSessions <http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#ch_zkSessions>

If we don't protected the root of the Kafka sub-tree, then an unauthorized user will be able
to delete child nodes under the sub-tree root:

http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#sc_ACLPermissions <http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#sc_ACLPermissions>

-Flavio

> On 05 Jan 2016, at 21:09, Matthew Bruce <mbruce@blackberry.com> wrote:
> 
> Hi,
> 
> I'm running through some 0.8.2 to 0.9.0 upgrade testing that involves moving to a secured
cluster - While running the zookeeper-security-migration.sh script, I noticed that it modifies
ACLs for non-Kafka specific znodes/trees also.
> 
> Looking at the code it seems like the intention is to only set the ACLs on specific branches,
but then it recursively applies them to all of '/' anyway:
> 
> private def run(): Unit = {
>     try {
>           for (path <- zkUtils.securePersistentZkPaths) {
>                debug("Going to set ACL for %s".format(path))
>                zkUtils.makeSurePersistentPathExists(path)
>           }
>     setAclsRecursively("/")
>     .
>     .
>     .
> 
> 
> Am I missing something here, or should the setAclsRecursively call be moved into the
loop and be called against each specific path?
> 
> Thanks,
> Matthew Bruce
> mbruce@blackbery.com


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message