You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Balint Molnar (JIRA)" <ji...@apache.org> on 2017/04/03 12:23:41 UTC
[jira] [Commented] (KAFKA-4814) ZookeeperLeaderElector not
respecting zookeeper.set.acl
[ https://issues.apache.org/jira/browse/KAFKA-4814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953384#comment-15953384 ]
Balint Molnar commented on KAFKA-4814:
--------------------------------------
[~ijuma] Something odd happening here, or I don't understand something. There is a ZkUtils constructor where we have a parameter isZkSecurityEnabled https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/utils/ZkUtils.scala#L80 . We are giving value to this parameter from two different? thing. First we are using the zookeeper.set.acl value for example in class https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaServer.scala#L325
and we are also using the JaasUtils.isZkSecurityEnabled method for example in https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ConfigCommand.scala#L61
I think these are separate things which we need to handle differently. Or am I missing something here?
> ZookeeperLeaderElector not respecting zookeeper.set.acl
> -------------------------------------------------------
>
> Key: KAFKA-4814
> URL: https://issues.apache.org/jira/browse/KAFKA-4814
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.10.1.1
> Reporter: Stevo Slavic
> Assignee: Balint Molnar
> Labels: newbie
> Fix For: 0.11.0.0, 0.10.2.1
>
>
> By [migration guide|https://kafka.apache.org/documentation/#zk_authz_migration] for enabling ZooKeeper security on an existing Apache Kafka cluster, and [broker configuration documentation|https://kafka.apache.org/documentation/#brokerconfigs] for {{zookeeper.set.acl}} configuration property, when this property is set to false Kafka brokers should not be setting any ACLs on ZooKeeper nodes, even when JAAS config file is provisioned to broker.
> Problem is that there is broker side logic, like one in {{ZookeeperLeaderElector}} making use of {{JaasUtils#isZkSecurityEnabled}}, which does not respect this configuration property, resulting in ACLs being set even when there's just JAAS config file provisioned to Kafka broker while {{zookeeper.set.acl}} is set to {{false}}.
> Notice that {{JaasUtils}} is in {{org.apache.kafka.common.security}} package of {{kafka-clients}} module, while {{zookeeper.set.acl}} is broker side only configuration property.
> To make it possible without downtime to enable ZooKeeper authentication on existing cluster, it should be possible to have all Kafka brokers in cluster first authenticate to ZooKeeper cluster, without ACLs being set. Only once all ZooKeeper clients (Kafka brokers and others) are authenticating to ZooKeeper cluster then ACLs can be started being set.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)