[jira] [Resolved] (KAFKA-15243) User creation mismatch

[Manikumar (Jira)]

     [ 
https://issues.apache.org/jira/browse/KAFKA-15243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Manikumar resolved KAFKA-15243.
-------------------------------
    Fix Version/s: 3.6.0
       Resolution: Fixed

> User creation mismatch
> ----------------------
>
>                 Key: KAFKA-15243
>                 URL: https://issues.apache.org/jira/browse/KAFKA-15243
>             Project: Kafka
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 3.3.2
>            Reporter: Sergio Troiano
>            Assignee: Sergio Troiano
>            Priority: Major
>              Labels: kafka-source
>             Fix For: 3.6.0
>
>
> We found the Kafka users were not created properly, so let's suppose we 
> create the user [myu...@myuser.com|mailto:myu...@myuser.com]
>  
> COMMAND:
> {code:java}
> /etc/new_kafka/bin/kafka-configs.sh  --bootstrap-server localhost:9092 
> --alter --add-config 
> 'SCRAM-SHA-256=[iterations=4096,password=blabla],SCRAM-SHA-256=[password=blabla]'
>  --entity-type users --entity-name myu...@myuser.com{code}
> RESPONSE:
> {code:java}
> Completed updating config for user myu...@myuser.com{code}
> When listing the users I see the user was created as an encoded string
> COMMAND
> {code:java}
> kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type 
> users|grep myuser {code}
> RESPONSE
> {code:java}
> SCRAM credential configs for user-principal 'myuser%40myuser.com' are 
> SCRAM-SHA-256=iterations=8192, SCRAM-SHA-512=iterations=4096 {code}
>  
> So basically the user is being "sanitized" and giving a false OK to the user 
> requester. The user requested does not exist as it should, it creates the 
> encoded one instead.
>  
> I dug deep in the code until I found this is happening in the 
> ZkAdminManager.scala in this line 
>  
> {code:java}
> adminZkClient.changeConfigs(ConfigType.User, Sanitizer.sanitize(user), 
> configsByPotentiallyValidUser(user)) {code}
> So removing the Sanitizer fix the problem, but I have a couple of doubts
> I checked we Sanitize because of some JMX metrics, but in this case I don't 
> know if this is really needed, supossing this is needed I think we should 
> forbid to create users with characters that will be encoded.
> Even worse after creating an user in general we create ACLs and they are 
> created properly without encoding the characters, this creates a mismatch 
> between the user and the ACLs.
>  
>  
> So I can work on fixing this, but I think we need to decide :
>  
> A) We forbid to create users with characters that will be encoded, so we fail 
> in the user creation step.
>  
> B) We allow the user creation with special characters and remove the 
> Sanitizer.sanitize(user) from the 2 places where it shows up in the file 
> ZkAdminManager.scala
>  
>  
> And of course if we go for B we need to create the tests.
> Please let me know what you think and i can work on it



--
This message was sent by Atlassian Jira
(v8.20.10#820010)