You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "chenzongyi (Jira)" <ji...@apache.org> on 2021/08/31 12:13:00 UTC

[jira] [Updated] (KAFKA-12987) kafka Users don't have avoid brute-force mechanism

     [ https://issues.apache.org/jira/browse/KAFKA-12987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

chenzongyi updated KAFKA-12987:
-------------------------------
    Summary: kafka Users don't have avoid brute-force mechanism  (was: kafka Users don't have avoid brute-force )

> kafka Users don't have avoid brute-force mechanism
> --------------------------------------------------
>
>                 Key: KAFKA-12987
>                 URL: https://issues.apache.org/jira/browse/KAFKA-12987
>             Project: Kafka
>          Issue Type: Improvement
>          Components: admin
>    Affects Versions: 2.7.1
>            Reporter: chenzongyi
>            Priority: Major
>
> 可多次用错误的密码进行访问,没有防暴力破解的 功能:
> when kafka-server's properties is setted sasl.mechanism.inter.broker.protocol=PLAIN and sasl.enabled.mechanisms=PLAIN, i have to create sasl_plain account, such as sasl_plain_username:nvwa, sasl_plain_password='right_password',but when i try use wrong password for kafka-client to connected kafka-server serval times(more than 100), it's seem don't have a mechanism to avoid brute-force.it's my code:
> import ssl
>  import six
>  import json
>  from FSSecurity import crypt
>  from kafka import KafkaProducer
> context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
>  with open('/etc/kafka.kafka/cfg/kafka.kafka.cfg', 'r') as fd:
>        data = json.load(fd)
>  right_password = crypt.decrypt(data['sasl_plain_password'])
>  wrong_password = right_password + '1'
> PRODUCER_CONF =
> {'sasl_mechanism': 'PLAIN', 'security_protocol': 'SASL_SSL', 'acks': 1, 'retries': 5, 'sasl_plain_username': 'nvwa', 'bootstrap_servers': ['172.28.9.200:9092'], 'ssl_context': context, 'sasl_plain_password': wrong_password}
> count = 0
>  while True:
>      try:
>          count += 1
>          producer = KafkaProducer(**PRODUCER_CONF)
>          break
>      except:
>          if count == 100:
>         PRODUCER_CONF =
>        {'sasl_mechanism': 'PLAIN', 'security_protocol': 'SASL_SSL', 'acks': 1, 'retries': 5, 'sasl_plain_username': 'nvwa', 'bootstrap_servers': ['172.28.9.200:9092'], 'ssl_context': context, 'sasl_plain_password': right_password}
> num = 0
>  for i in range(10):
>      msgs = 'message_' + str(num)
>      num += 1
>      producer.send('czy', six.ensure_binary(msgs), partition=0).get()
>  print('send message success')



--
This message was sent by Atlassian Jira
(v8.3.4#803005)