You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Manikumar (Jira)" <ji...@apache.org> on 2021/06/01 13:41:00 UTC

[jira] [Updated] (KAFKA-12866) Kafka requires ZK root access even when using a chroot

     [ https://issues.apache.org/jira/browse/KAFKA-12866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Manikumar updated KAFKA-12866:
------------------------------
    Fix Version/s: 3.0.0

> Kafka requires ZK root access even when using a chroot
> ------------------------------------------------------
>
>                 Key: KAFKA-12866
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12866
>             Project: Kafka
>          Issue Type: Bug
>          Components: core, zkclient
>    Affects Versions: 2.6.1, 2.8.0, 2.7.1, 2.6.2
>            Reporter: Igor Soarez
>            Assignee: Igor Soarez
>            Priority: Major
>             Fix For: 3.0.0
>
>
> When a Zookeeper chroot is configured, users do not expect Kafka to need Zookeeper access outside of that chroot.
> h1. Why is this important?
> A zookeeper cluster may be shared with other Kafka clusters or even other applications. It is an expected security practice to restrict each cluster/application's access to it's own Zookeeper chroot.
> h1. Steps to reproduce
> h2. Zookeeper setup
> Using the zkCli, create a chroot for Kafka, make it available to Kafka but lock the root znode.
>  
> {code:java}
> [zk: localhost:2181(CONNECTED) 1] create /somechroot
> Created /some
> [zk: localhost:2181(CONNECTED) 2] setAcl /somechroot world:anyone:cdrwa
> [zk: localhost:2181(CONNECTED) 3] addauth digest test:12345
> [zk: localhost:2181(CONNECTED) 4] setAcl / digest:test:Mx1uO9GLtm1qaVAQ20Vh9ODgACg=:cdrwa{code}
>  
> h2. Kafka setup
> Configure the chroot in broker.properties:
>  
> {code:java}
> zookeeper.connect=localhost:2181/somechroot{code}
>  
>  
> h2. Expected behavior
> The expected behavior here is that Kafka will use the chroot without issues.
> h2. Actual result
> Kafka fails to start with a fatal exception:
> {code:java}
>     org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /chroot
>         at org.apache.zookeeper.KeeperException.create(KeeperException.java:120)
>         at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)
>         at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:583)
>         at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1729)
>         at kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1627)
>         at kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1957)
>         at kafka.zk.ZkClientAclTest.testChrootExistsAndRootIsLocked(ZkClientAclTest.scala:60)
> {code}
>  
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)