You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Attila Sasvari (JIRA)" <ji...@apache.org> on 2018/12/21 15:26:00 UTC

[jira] [Commented] (KAFKA-7752) zookeeper-security-migration.sh does not remove ACL on kafka-acl-extended

    [ https://issues.apache.org/jira/browse/KAFKA-7752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16726830#comment-16726830 ] 

Attila Sasvari commented on KAFKA-7752:
---------------------------------------

In kafka.zk.ZkData class, ZkAclStore.securePaths contains the following paths 
{code}
0 = "/kafka-acl"
1 = "/kafka-acl-changes"
2 = "/kafka-acl-extended/prefixed"
3 = "/kafka-acl-extended-changes"
{code}

When the migrator tool runs, ZkUtils.SecureZkRootPaths contains:
{code}
result = {$colon$colon@2669} "::" size = 14
 0 = "/admin"
 1 = "/brokers"
 2 = "/cluster"
 3 = "/config"
 4 = "/controller"
 5 = "/controller_epoch"
 6 = "/isr_change_notification"
 7 = "/latest_producer_id_block"
 8 = "/log_dir_event_notification"
 9 = "/delegation_token"
 10 = "/kafka-acl"
 11 = "/kafka-acl-changes"
 12 = "/kafka-acl-extended/prefixed"
 13 = "/kafka-acl-extended-changes"
{code}

Then the code recursively travels these paths and set ACL on all the child znodes.
As a result, {{/kafka-acl-extended}} is missed.

> zookeeper-security-migration.sh does not remove ACL on kafka-acl-extended
> -------------------------------------------------------------------------
>
>                 Key: KAFKA-7752
>                 URL: https://issues.apache.org/jira/browse/KAFKA-7752
>             Project: Kafka
>          Issue Type: Bug
>          Components: tools
>    Affects Versions: 2.0.0
>            Reporter: Attila Sasvari
>            Assignee: Attila Sasvari
>            Priority: Major
>
> Executed {{zookeeper-security-migration.sh --zookeeper.connect $(hostname -f):2181/kafka --zookeeper.acl secure}} to secure Kafka znodes and then {{zookeeper-security-migration.sh --zookeeper.connect $(hostname -f):2181/kafka --zookeeper.acl unsecure}} to unsecure those.
> I noticed that the tool did not remove ACLs on certain nodes: 
> {code}
> ] getAcl /kafka/kafka-acl-extended
> 'world,'anyone
> : r
> 'sasl,'kafka
> : cdrwa
> {code}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)