You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@kafka.apache.org by Rob Anderson <ro...@gmail.com> on 2017/03/30 18:24:57 UTC

Authentication using SASL/Kerberos and znode permissions

Hello,

I've implemented Authentication using SASL/Kerberos, on
kafka_2.12-0.10.2.0.  Everything is working fine, however, I've noticed
that the kafka-acl znode is world readable / writable.  So, couldn't anyone
just bypass security by modifying the znode via zookeeper, granting their
principle access to a given topic?  You could also just delete the znode,
which would remove all of the defined acls.

I do see permissions are proper on other znodes, for example
/brokers/topics/__consumer_offsets.  Am I missing something?  Are admins
manually tweaking permissions on the  kafka-acl znode, to prevent this?
 Any information you can offer is appreciated.

Thanks,

Rob
Acl set:

[zk: kafka01.hadoop.test.com(CONNECTED) 15] getAcl /kafka-acl

'world,'anyone

: cdrwa


[zk: kafka01.hadoop.test.com(CONNECTED) 22] getAcl
/brokers/topics/__consumer_offsets

'world,'anyone

: r

'sasl,'kafka-client@HADOOP.TEST.COM

: cdrwa

Re: Authentication using SASL/Kerberos and znode permissions

Posted by Rob Anderson <ro...@gmail.com>.

Never mind....  The issue was that I need to add authentication for
kafka-acls.sh, it then create the znode with the correct permissions.

Thanks,

Rob

kafka-acls.sh

AUTH_JVM_OPTS="
-Djava.security.auth.login.config=/opt/kafka/security/kafka_client_jaas.conf
"

exec $(dirname $0)/kafka-run-class.sh $AUTH_JVM_OPTS kafka.admin.AclCommand
"$@"

On Thu, Mar 30, 2017 at 12:24 PM, Rob Anderson <ro...@gmail.com>
wrote:

> Hello,
>
> I've implemented Authentication using SASL/Kerberos, on
> kafka_2.12-0.10.2.0.  Everything is working fine, however, I've noticed
> that the kafka-acl znode is world readable / writable.  So, couldn't anyone
> just bypass security by modifying the znode via zookeeper, granting their
> principle access to a given topic?  You could also just delete the znode,
> which would remove all of the defined acls.
>
> I do see permissions are proper on other znodes, for example
> /brokers/topics/__consumer_offsets.  Am I missing something?  Are admins
> manually tweaking permissions on the  kafka-acl znode, to prevent this?
>  Any information you can offer is appreciated.
>
> Thanks,
>
> Rob
> Acl set:
>
> [zk: kafka01.hadoop.test.com(CONNECTED) 15] getAcl /kafka-acl
>
> 'world,'anyone
>
> : cdrwa
>
>
> [zk: kafka01.hadoop.test.com(CONNECTED) 22] getAcl
> /brokers/topics/__consumer_offsets
>
> 'world,'anyone
>
> : r
>
> 'sasl,'kafka-client@HADOOP.TEST.COM
>
> : cdrwa
>
>
>
>

Fwd: Authentication using SASL/Kerberos and znode permissions

Posted by Rob Anderson <ro...@gmail.com>.

Hello,

I've implemented Authentication using SASL/Kerberos, on
kafka_2.12-0.10.2.0.  Everything is working fine, however, I've noticed
that the kafka-acl znode is world readable / writable.  So, couldn't anyone
just bypass security by modifying the znode via zookeeper, granting their
principle access to a given topic?  You could also just delete the znode,
which would remove all of the defined acls.

I do see permissions are proper on other znodes, for example
/brokers/topics/__consumer_offsets.  Am I missing something?  Are admins
manually tweaking permissions on the  kafka-acl znode, to prevent this?
 Any information you can offer is appreciated.

Thanks,

Rob
Acl set:

[zk: kafka01.hadoop.test.com(CONNECTED) 15] getAcl /kafka-acl

'world,'anyone

: cdrwa


[zk: kafka01.hadoop.test.com(CONNECTED) 22] getAcl
/brokers/topics/__consumer_offsets

'world,'anyone

: r

'sasl,'kafka-client@HADOOP.TEST.COM

: cdrwa