You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Rob Anderson <ro...@gmail.com> on 2017/03/30 18:24:57 UTC
Authentication using SASL/Kerberos and znode permissions
Hello,
I've implemented Authentication using SASL/Kerberos, on
kafka_2.12-0.10.2.0. Everything is working fine, however, I've noticed
that the kafka-acl znode is world readable / writable. So, couldn't anyone
just bypass security by modifying the znode via zookeeper, granting their
principle access to a given topic? You could also just delete the znode,
which would remove all of the defined acls.
I do see permissions are proper on other znodes, for example
/brokers/topics/__consumer_offsets. Am I missing something? Are admins
manually tweaking permissions on the kafka-acl znode, to prevent this?
Any information you can offer is appreciated.
Thanks,
Rob
Acl set:
[zk: kafka01.hadoop.test.com(CONNECTED) 15] getAcl /kafka-acl
'world,'anyone
: cdrwa
[zk: kafka01.hadoop.test.com(CONNECTED) 22] getAcl
/brokers/topics/__consumer_offsets
'world,'anyone
: r
'sasl,'kafka-client@HADOOP.TEST.COM
: cdrwa
Re: Authentication using SASL/Kerberos and znode permissions
Posted by Rob Anderson <ro...@gmail.com>.
Never mind.... The issue was that I need to add authentication for
kafka-acls.sh, it then create the znode with the correct permissions.
Thanks,
Rob
kafka-acls.sh
AUTH_JVM_OPTS="
-Djava.security.auth.login.config=/opt/kafka/security/kafka_client_jaas.conf
"
exec $(dirname $0)/kafka-run-class.sh $AUTH_JVM_OPTS kafka.admin.AclCommand
"$@"
On Thu, Mar 30, 2017 at 12:24 PM, Rob Anderson <ro...@gmail.com>
wrote:
> Hello,
>
> I've implemented Authentication using SASL/Kerberos, on
> kafka_2.12-0.10.2.0. Everything is working fine, however, I've noticed
> that the kafka-acl znode is world readable / writable. So, couldn't anyone
> just bypass security by modifying the znode via zookeeper, granting their
> principle access to a given topic? You could also just delete the znode,
> which would remove all of the defined acls.
>
> I do see permissions are proper on other znodes, for example
> /brokers/topics/__consumer_offsets. Am I missing something? Are admins
> manually tweaking permissions on the kafka-acl znode, to prevent this?
> Any information you can offer is appreciated.
>
> Thanks,
>
> Rob
> Acl set:
>
> [zk: kafka01.hadoop.test.com(CONNECTED) 15] getAcl /kafka-acl
>
> 'world,'anyone
>
> : cdrwa
>
>
> [zk: kafka01.hadoop.test.com(CONNECTED) 22] getAcl
> /brokers/topics/__consumer_offsets
>
> 'world,'anyone
>
> : r
>
> 'sasl,'kafka-client@HADOOP.TEST.COM
>
> : cdrwa
>
>
>
>
Fwd: Authentication using SASL/Kerberos and znode permissions
Posted by Rob Anderson <ro...@gmail.com>.
Hello,
I've implemented Authentication using SASL/Kerberos, on
kafka_2.12-0.10.2.0. Everything is working fine, however, I've noticed
that the kafka-acl znode is world readable / writable. So, couldn't anyone
just bypass security by modifying the znode via zookeeper, granting their
principle access to a given topic? You could also just delete the znode,
which would remove all of the defined acls.
I do see permissions are proper on other znodes, for example
/brokers/topics/__consumer_offsets. Am I missing something? Are admins
manually tweaking permissions on the kafka-acl znode, to prevent this?
Any information you can offer is appreciated.
Thanks,
Rob
Acl set:
[zk: kafka01.hadoop.test.com(CONNECTED) 15] getAcl /kafka-acl
'world,'anyone
: cdrwa
[zk: kafka01.hadoop.test.com(CONNECTED) 22] getAcl
/brokers/topics/__consumer_offsets
'world,'anyone
: r
'sasl,'kafka-client@HADOOP.TEST.COM
: cdrwa