You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "huxihx (Jira)" <ji...@apache.org> on 2019/10/30 03:36:00 UTC
[jira] [Commented] (KAFKA-9025) ZkSecurityMigrator not working with
zookeeper chroot
[ https://issues.apache.org/jira/browse/KAFKA-9025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16962659#comment-16962659 ]
huxihx commented on KAFKA-9025:
-------------------------------
[~lmairbus] You should explicitly specify the chroot when running zookeeper-security-migration.sh if a chroot is configured, as shown below:
{code:java}
bin/zookeeper-security-migration.sh --zookeeper.acl=secure --zookeeper.connect=localhost:2181/kafka{code}
Could you retry your scenario with this command above?
> ZkSecurityMigrator not working with zookeeper chroot
> ----------------------------------------------------
>
> Key: KAFKA-9025
> URL: https://issues.apache.org/jira/browse/KAFKA-9025
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Environment: Reproduced at least on rhel and macos
> Reporter: Laurent Millet
> Priority: Major
>
> The ZkSecurityMigrator tool fails to handle installations where kafka is configured with a zookeeper chroot (as opposed to using /, the default):
> * ACLs on existing nodes are not modified (they are left world-modifiable)
> * New nodes created by the tool are created directly under the zookeeper root instead of under the chroot
> The tool does not emit any message, thus the unsuspecting user can only assume everything went well, when in fact it did not and znodes are still not secure:
> kafka_2.12-2.3.0 $ bin/zookeeper-security-migration.sh --zookeeper.acl=secure --zookeeper.connect=localhost:2181
> kafka_2.12-2.3.0 $
> For example, with kafka configured to use /kafka as chroot (zookeeper.connect=localhost:2181/kafka), the following is observed:
> * Before running the tool
> ** Zookeeper top-level nodes (all kafka nodes are under /kafka):
> [zk: localhost:2181(CONNECTED) 1] ls /
> [kafka, zookeeper]
> ** Example node ACL:
> [zk: localhost:2181(CONNECTED) 2] getAcl /kafka/brokers
> 'world,'anyone
> : cdrwa
> * After running the tool:
> ** Zookeeper top-level nodes (kafka nodes created by the tool appeared here):
> [zk: localhost:2181(CONNECTED) 3] ls /
> [admin, brokers, cluster, config, controller, controller_epoch, delegation_token, isr_change_notification, kafka, kafka-acl, kafka-acl-changes, kafka-acl-extended, kafka-acl-extended-changes, latest_producer_id_block, log_dir_event_notification, zookeeper]
> ** Example node ACL:
> [zk: localhost:2181(CONNECTED) 4] getAcl /kafka/brokers
> 'world,'anyone
> : cdrwa
> ** New node ACL:
> [zk: localhost:2181(CONNECTED) 5] getAcl /brokers
> 'sasl,'kafka
> : cdrwa
> 'world,'anyone
> : r
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)