You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Attila Sasvari (JIRA)" <ji...@apache.org> on 2018/12/21 15:26:00 UTC
[jira] [Commented] (KAFKA-7752) zookeeper-security-migration.sh
does not remove ACL on kafka-acl-extended
[ https://issues.apache.org/jira/browse/KAFKA-7752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16726830#comment-16726830 ]
Attila Sasvari commented on KAFKA-7752:
---------------------------------------
In kafka.zk.ZkData class, ZkAclStore.securePaths contains the following paths
{code}
0 = "/kafka-acl"
1 = "/kafka-acl-changes"
2 = "/kafka-acl-extended/prefixed"
3 = "/kafka-acl-extended-changes"
{code}
When the migrator tool runs, ZkUtils.SecureZkRootPaths contains:
{code}
result = {$colon$colon@2669} "::" size = 14
0 = "/admin"
1 = "/brokers"
2 = "/cluster"
3 = "/config"
4 = "/controller"
5 = "/controller_epoch"
6 = "/isr_change_notification"
7 = "/latest_producer_id_block"
8 = "/log_dir_event_notification"
9 = "/delegation_token"
10 = "/kafka-acl"
11 = "/kafka-acl-changes"
12 = "/kafka-acl-extended/prefixed"
13 = "/kafka-acl-extended-changes"
{code}
Then the code recursively travels these paths and set ACL on all the child znodes.
As a result, {{/kafka-acl-extended}} is missed.
> zookeeper-security-migration.sh does not remove ACL on kafka-acl-extended
> -------------------------------------------------------------------------
>
> Key: KAFKA-7752
> URL: https://issues.apache.org/jira/browse/KAFKA-7752
> Project: Kafka
> Issue Type: Bug
> Components: tools
> Affects Versions: 2.0.0
> Reporter: Attila Sasvari
> Assignee: Attila Sasvari
> Priority: Major
>
> Executed {{zookeeper-security-migration.sh --zookeeper.connect $(hostname -f):2181/kafka --zookeeper.acl secure}} to secure Kafka znodes and then {{zookeeper-security-migration.sh --zookeeper.connect $(hostname -f):2181/kafka --zookeeper.acl unsecure}} to unsecure those.
> I noticed that the tool did not remove ACLs on certain nodes:
> {code}
> ] getAcl /kafka/kafka-acl-extended
> 'world,'anyone
> : r
> 'sasl,'kafka
> : cdrwa
> {code}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)