Sergio Troiano created KAFKA-15243: -------------------------------------- Summary: User creation mismatch Key: KAFKA-15243 URL: https://issues.apache.org/jira/browse/KAFKA-15243 Project: Kafka Issue Type: Bug Affects Versions: 3.3.2 Reporter: Sergio Troiano Assignee: Sergio Troiano
We found the Kafka users were not created properly, so let's suppose we create the user [myu...@myuser.com|mailto:myu...@myuser.com] COMMAND: {code:java} /etc/new_kafka/bin/kafka-configs.sh --bootstrap-server localhost:9092 --alter --add-config 'SCRAM-SHA-256=[iterations=4096,password=blabla],SCRAM-SHA-256=[password=blabla]' --entity-type users --entity-name myu...@myuser.com{code} RESPONSE: {code:java} Completed updating config for user myu...@myuser.com{code} When listing the users I see the user was created as an encoded string COMMAND {code:java} kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type users|grep myuser {code} RESPONSE {code:java} SCRAM credential configs for user-principal 'myuser%40myuser.com' are SCRAM-SHA-256=iterations=8192, SCRAM-SHA-512=iterations=4096 {code} So basically the user is being "sanitized" and giving a false OK to the user requester. The user requested does not exist as it should, it creates the encoded one instead. I dug deep in the code until I found this is happening in the ZkAdminManager.scala in this line {code:java} adminZkClient.changeConfigs(ConfigType.User, Sanitizer.sanitize(user), configsByPotentiallyValidUser(user)) {code} So removing the Sanitizer fix the problem, but I have a couple of doubts I checked we Sanitize because of some JMX metrics, but in this case I don't know if this is really needed, supossing this is needed I think we should forbid to create users with characters that will be encoded. Even worse after creating an user in general we create ACLs and they are created properly without encoding the characters, this creates a mismatch between the user and the ACLs. So I can work on fixing this, but I think we need to decide : A) We forbid to create users with characters that will be encoded, so we fail in the user creation step. B) We allow the user creation with special characters and remove the Sanitizer.sanitize(user) from the 2 places where it shows up in the file ZkAdminManager.scala And of course if we go for B we need to create the tests. Please let me know what you think and i can work on it -- This message was sent by Atlassian Jira (v8.20.10#820010)