[
https://issues.apache.org/jira/browse/KAFKA-1695?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14180538#comment-14180538
]
Gwen Shapira commented on KAFKA-1695:
-------------------------------------
The good news is that Kafka works out of the box with secure ZooKeeper. The
default ACL for ZK nodes is world:anyone:cdrwa.
I think we want to give users an option to secure their Kafka information in ZK
to make sure that only a Kafka broker (and perhaps Kafka consumer) can read and
write them. Especially important if we choose to store the broker part of the
delegation token secret in ZK.
It looks like ZKClient has a PR for support of ACLs
(https://github.com/sgroschupf/zkclient/pull/18), however its 3 years old...
> Authenticate connection to Zookeeper
> ------------------------------------
>
> Key: KAFKA-1695
> URL: https://issues.apache.org/jira/browse/KAFKA-1695
> Project: Kafka
> Issue Type: Sub-task
> Components: security
> Reporter: Jay Kreps
> Assignee: Gwen Shapira
>
> We need to make it possible to secure the Zookeeper cluster Kafka is using.
> This would make use of the normal authentication ZooKeeper provides.
> ZooKeeper supports a variety of authentication mechanisms so we will need to
> figure out what has to be passed in to the zookeeper client.
> The intention is that when the current round of client work is done it should
> be possible to run without clients needing access to Zookeeper so all we need
> here is to make it so that only the Kafka cluster is able to read and write
> to the Kafka znodes (we shouldn't need to set any kind of acl on a per-znode
> basis).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
