Hi Matthew, If you're sharing a ZK ensemble and you have a specific path for the Kafka znodes, then you need to use a chroot for this. Just pass it along with the connect string:
http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#ch_zkSessions <http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#ch_zkSessions> If we don't protected the root of the Kafka sub-tree, then an unauthorized user will be able to delete child nodes under the sub-tree root: http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#sc_ACLPermissions <http://zookeeper.apache.org/doc/r3.4.6/zookeeperProgrammers.html#sc_ACLPermissions> -Flavio > On 05 Jan 2016, at 21:09, Matthew Bruce <mbr...@blackberry.com> wrote: > > Hi, > > I'm running through some 0.8.2 to 0.9.0 upgrade testing that involves moving > to a secured cluster - While running the zookeeper-security-migration.sh > script, I noticed that it modifies ACLs for non-Kafka specific znodes/trees > also. > > Looking at the code it seems like the intention is to only set the ACLs on > specific branches, but then it recursively applies them to all of '/' anyway: > > private def run(): Unit = { > try { > for (path <- zkUtils.securePersistentZkPaths) { > debug("Going to set ACL for %s".format(path)) > zkUtils.makeSurePersistentPathExists(path) > } > setAclsRecursively("/") > . > . > . > > > Am I missing something here, or should the setAclsRecursively call be moved > into the loop and be called against each specific path? > > Thanks, > Matthew Bruce > mbr...@blackbery.com
