[jira] [Created] (KAFKA-4943) SCRAM secret's should be better protected with Zookeeper ACLs

JIRA Thu, 23 Mar 2017 02:28:23 -0700

Johan Ström created KAFKA-4943:
----------------------------------

             Summary: SCRAM secret's should be better protected with Zookeeper 
ACLs
                 Key: KAFKA-4943
                 URL: https://issues.apache.org/jira/browse/KAFKA-4943
             Project: Kafka
          Issue Type: Improvement
            Reporter: Johan Ström



With the new SCRAM authenticator the secrets are stored in Zookeeper:
{code}
get /kafka/config/users/alice
{"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}}
{code}

These are stored without any ACL, and zookeeper-security-migration.sh does not 
seem to change that either:

{code}
getAcl /kafka/config/users/alice
'world,'anyone
: cdrwa

getAcl /kafka/config/users
'world,'anyone
: cdrwa

getAcl /kafka
'world,'anyone
: r
'sasl,'bob
: cdrwa

getAcl /kafka/config/changes
'world,'anyone
: r
'sasl,'bob
: cdrwa

{code}

The above output is after running security migrator, for some reason 
/kafka/config/users is ignored, but others are fixed..


Even if these where to be stored with secure ZkUtils#DefaultAcls, they would be 
world readable.

>From my (limited) point of view, they should be readable by Kafka only.





--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (KAFKA-4943) SCRAM secret's should be better protected with Zookeeper ACLs

Reply via email to