Return-Path: X-Original-To: apmail-kafka-dev-archive@www.apache.org Delivered-To: apmail-kafka-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0B4F11848C for ; Wed, 6 Jan 2016 09:34:56 +0000 (UTC) Received: (qmail 30688 invoked by uid 500); 6 Jan 2016 09:34:55 -0000 Delivered-To: apmail-kafka-dev-archive@kafka.apache.org Received: (qmail 30582 invoked by uid 500); 6 Jan 2016 09:34:55 -0000 Mailing-List: contact dev-help@kafka.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@kafka.apache.org Delivered-To: mailing list dev@kafka.apache.org Received: (qmail 30571 invoked by uid 99); 6 Jan 2016 09:34:55 -0000 Received: from Unknown (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 06 Jan 2016 09:34:55 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id D92B71A075F for ; Wed, 6 Jan 2016 09:34:54 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 3.001 X-Spam-Level: *** X-Spam-Status: No, score=3.001 tagged_above=-999 required=6.31 tests=[HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id tsY_Zui-MZTL for ; Wed, 6 Jan 2016 09:34:43 +0000 (UTC) Received: from mail-wm0-f43.google.com (mail-wm0-f43.google.com [74.125.82.43]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 7C6E831A9E for ; Wed, 6 Jan 2016 09:34:42 +0000 (UTC) Received: by mail-wm0-f43.google.com with SMTP id u188so53346768wmu.1 for ; Wed, 06 Jan 2016 01:34:42 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=PS69oZE1sm/S0+mQwp02ij2V8iGBHRdioj01eerUrBM=; b=K1qIiNo87FUAs8LP3W5fRZQzZ566xyl98lTaAZXTOeT2M0Yu/qNS9aek2OHV7h3Q/f hVNQCaEYWEPXV11/sGJpFZggL39Uu1Yk3vwQQoSYMWdBADC99hxcLeaD0eIcOo3PWng3 hKVgGzDPQ/7Ez4KxT4+yCf8WjLX4VsqCjUk2PM42dcI00Mn9p6lVNjq4XYtMUBbmfm7m ZCNbu+gVGHR9EUTCqF8QMHtpf+P7elk4rXdXrShGupe0Gox8MHyRFbykwf149RPFxmrE A3QMuoTr/6Gq52EpxSE8bh6x6yzc0p8+66WL5Auasxti6qA2VBZhfHoMJwJ5uDrCa2xo n0Hw== X-Received: by 10.28.180.10 with SMTP id d10mr9576830wmf.14.1452072882221; Wed, 06 Jan 2016 01:34:42 -0800 (PST) Received: from [192.168.1.64] (host86-190-162-208.range86-190.btcentralplus.com. [86.190.162.208]) by smtp.gmail.com with ESMTPSA id w194sm7820112wmd.0.2016.01.06.01.34.40 for (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 06 Jan 2016 01:34:41 -0800 (PST) From: Flavio Junqueira Content-Type: multipart/alternative; boundary="Apple-Mail=_5B481778-017E-4F57-8D6D-182D4F8EC349" Message-Id: <4E068D8C-1C24-44D1-9A5A-B828980FFDA0@apache.org> Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\)) Subject: Re: ZkSecurityMigrator incorrectly applies ACLs to entire ZooKeeper tree? Date: Wed, 6 Jan 2016 09:34:39 +0000 References: To: dev@kafka.apache.org In-Reply-To: X-Mailer: Apple Mail (2.2104) --Apple-Mail=_5B481778-017E-4F57-8D6D-182D4F8EC349 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi Matthew, If you're sharing a ZK ensemble and you have a specific path for the = Kafka znodes, then you need to use a chroot for this. Just pass it along = with the connect string: = http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#ch_zkSess= ions = If we don't protected the root of the Kafka sub-tree, then an = unauthorized user will be able to delete child nodes under the sub-tree = root: = http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#sc_ACLPer= missions = -Flavio > On 05 Jan 2016, at 21:09, Matthew Bruce wrote: >=20 > Hi, >=20 > I'm running through some 0.8.2 to 0.9.0 upgrade testing that involves = moving to a secured cluster - While running the = zookeeper-security-migration.sh script, I noticed that it modifies ACLs = for non-Kafka specific znodes/trees also. >=20 > Looking at the code it seems like the intention is to only set the = ACLs on specific branches, but then it recursively applies them to all = of '/' anyway: >=20 > private def run(): Unit =3D { > try { > for (path <- zkUtils.securePersistentZkPaths) { > debug("Going to set ACL for %s".format(path)) > zkUtils.makeSurePersistentPathExists(path) > } > setAclsRecursively("/") > . > . > . >=20 >=20 > Am I missing something here, or should the setAclsRecursively call be = moved into the loop and be called against each specific path? >=20 > Thanks, > Matthew Bruce > mbruce@blackbery.com --Apple-Mail=_5B481778-017E-4F57-8D6D-182D4F8EC349--