[jira] [Commented] (KAFKA-4814) ZookeeperLeaderElector not respecting zookeeper.set.acl

Wed, 12 Apr 2017 04:01:02 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15965664#comment-15965664
 ] 

Balint Molnar commented on KAFKA-4814:
--------------------------------------

[~rsivaram] I think if we change JaasUtils.isZkSecurityEnabled function to 
controllerContext.zkUtils.isSecure does the trick 
https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/ZookeeperLeaderElector.scala#L81.
 But I am not 100% sure about that. On the other hand maybe it is a good to 
wait until KAFKA-5028 is merged.

> ZookeeperLeaderElector not respecting zookeeper.set.acl
> -------------------------------------------------------
>
>                 Key: KAFKA-4814
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4814
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.10.1.1
>            Reporter: Stevo Slavic
>            Assignee: Rajini Sivaram
>              Labels: newbie
>             Fix For: 0.11.0.0
>
>
> By [migration 
> guide|https://kafka.apache.org/documentation/#zk_authz_migration] for 
> enabling ZooKeeper security on an existing Apache Kafka cluster, and [broker 
> configuration 
> documentation|https://kafka.apache.org/documentation/#brokerconfigs] for 
> {{zookeeper.set.acl}} configuration property, when this property is set to 
> false Kafka brokers should not be setting any ACLs on ZooKeeper nodes, even 
> when JAAS config file is provisioned to broker. 
> Problem is that there is broker side logic, like one in 
> {{ZookeeperLeaderElector}} making use of {{JaasUtils#isZkSecurityEnabled}}, 
> which does not respect this configuration property, resulting in ACLs being 
> set even when there's just JAAS config file provisioned to Kafka broker while 
> {{zookeeper.set.acl}} is set to {{false}}.
> Notice that {{JaasUtils}} is in {{org.apache.kafka.common.security}} package 
> of {{kafka-clients}} module, while {{zookeeper.set.acl}} is broker side only 
> configuration property.
> To make it possible without downtime to enable ZooKeeper authentication on 
> existing cluster, it should be possible to have all Kafka brokers in cluster 
> first authenticate to ZooKeeper cluster, without ACLs being set. Only once 
> all ZooKeeper clients (Kafka brokers and others) are authenticating to 
> ZooKeeper cluster then ACLs can be started being set.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to