[jira] [Created] (KAFKA-15243) User creation mismatch

Mon, 24 Jul 2023 09:34:09 -0700 

Sergio Troiano created KAFKA-15243:
--------------------------------------

             Summary: User creation mismatch
                 Key: KAFKA-15243
                 URL: https://issues.apache.org/jira/browse/KAFKA-15243
             Project: Kafka
          Issue Type: Bug
    Affects Versions: 3.3.2
            Reporter: Sergio Troiano
            Assignee: Sergio Troiano


We found the Kafka users were not created properly, so let's suppose we create 
the user [myu...@myuser.com|mailto:myu...@myuser.com]

 

COMMAND:
{code:java}
/etc/new_kafka/bin/kafka-configs.sh  --bootstrap-server localhost:9092 --alter 
--add-config 
'SCRAM-SHA-256=[iterations=4096,password=blabla],SCRAM-SHA-256=[password=blabla]'
 --entity-type users --entity-name myu...@myuser.com{code}
RESPONSE:
{code:java}
Completed updating config for user myu...@myuser.com{code}
When listing the users I see the user was created as an encoded string

COMMAND
{code:java}
kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type 
users|grep myuser {code}
RESPONSE
{code:java}
SCRAM credential configs for user-principal 'myuser%40myuser.com' are 
SCRAM-SHA-256=iterations=8192, SCRAM-SHA-512=iterations=4096 {code}
 

So basically the user is being "sanitized" and giving a false OK to the user 
requester. The user requested does not exist as it should, it creates the 
encoded one instead.

 

I dug deep in the code until I found this is happening in the 
ZkAdminManager.scala in this line 

 
{code:java}
adminZkClient.changeConfigs(ConfigType.User, Sanitizer.sanitize(user), 
configsByPotentiallyValidUser(user)) {code}
So removing the Sanitizer fix the problem, but I have a couple of doubts

I checked we Sanitize because of some JMX metrics, but in this case I don't 
know if this is really needed, supossing this is needed I think we should 
forbid to create users with characters that will be encoded.

Even worse after creating an user in general we create ACLs and they are 
created properly without encoding the characters, this creates a mismatch 
between the user and the ACLs.

 

 

So I can work on fixing this, but I think we need to decide :

 

A) We forbid to create users with characters that will be encoded, so we fail 
in the user creation step.

 

B) We allow the user creation with special characters and remove the 
Sanitizer.sanitize(user) from the 2 places where it shows up in the file 
ZkAdminManager.scala

 

 

And of course if we go for B we need to create the tests.

Please let me know what you think and i can work on it



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to