[
https://issues.apache.org/jira/browse/KAFKA-9025?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16963581#comment-16963581
]
ASF GitHub Bot commented on KAFKA-9025:
---------------------------------------
huxihx commented on pull request #7618: KAFKA-9025: ZkSecurityMigrator not
working with zookeeper chroot
URL: https://github.com/apache/kafka/pull/7618
https://issues.apache.org/jira/browse/KAFKA-9025
If a chroot is configured, ZkSecurityMigrator should prompt a confirm to
user to ensure whether chroot is specified correctly.
*More detailed description of your change,
if necessary. The PR title and PR message become
the squashed commit message, so use a separate
comment to ping reviewers.*
*Summary of testing strategy (including rationale)
for the feature or bug fix. Unit and/or integration
tests are expected for any behaviour change and
system tests should be considered for larger changes.*
### Committer Checklist (excluded from commit message)
- [ ] Verify design and implementation
- [ ] Verify test coverage and CI build status
- [ ] Verify documentation (including upgrade notes)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> ZkSecurityMigrator not working with zookeeper chroot
> ----------------------------------------------------
>
> Key: KAFKA-9025
> URL: https://issues.apache.org/jira/browse/KAFKA-9025
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.3.0
> Environment: Reproduced at least on rhel and macos
> Reporter: Laurent Millet
> Assignee: huxihx
> Priority: Major
>
> The ZkSecurityMigrator tool fails to handle installations where kafka is
> configured with a zookeeper chroot (as opposed to using /, the default):
> * ACLs on existing nodes are not modified (they are left world-modifiable)
> * New nodes created by the tool are created directly under the zookeeper
> root instead of under the chroot
> The tool does not emit any message, thus the unsuspecting user can only
> assume everything went well, when in fact it did not and znodes are still not
> secure:
> kafka_2.12-2.3.0 $ bin/zookeeper-security-migration.sh --zookeeper.acl=secure
> --zookeeper.connect=localhost:2181
> kafka_2.12-2.3.0 $
> For example, with kafka configured to use /kafka as chroot
> (zookeeper.connect=localhost:2181/kafka), the following is observed:
> * Before running the tool
> ** Zookeeper top-level nodes (all kafka nodes are under /kafka):
> [zk: localhost:2181(CONNECTED) 1] ls /
> [kafka, zookeeper]
> ** Example node ACL:
> [zk: localhost:2181(CONNECTED) 2] getAcl /kafka/brokers
> 'world,'anyone
> : cdrwa
> * After running the tool:
> ** Zookeeper top-level nodes (kafka nodes created by the tool appeared here):
> [zk: localhost:2181(CONNECTED) 3] ls /
> [admin, brokers, cluster, config, controller, controller_epoch,
> delegation_token, isr_change_notification, kafka, kafka-acl,
> kafka-acl-changes, kafka-acl-extended, kafka-acl-extended-changes,
> latest_producer_id_block, log_dir_event_notification, zookeeper]
> ** Example node ACL:
> [zk: localhost:2181(CONNECTED) 4] getAcl /kafka/brokers
> 'world,'anyone
> : cdrwa
> ** New node ACL:
> [zk: localhost:2181(CONNECTED) 5] getAcl /brokers
> 'sasl,'kafka
> : cdrwa
> 'world,'anyone
> : r
>
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
