[ https://issues.apache.org/jira/browse/KAFKA-4864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900780#comment-15900780 ]
ASF GitHub Bot commented on KAFKA-4864: --------------------------------------- GitHub user simplesteph opened a pull request: https://github.com/apache/kafka/pull/2655 KAFKA-4864 added correct zookeeper nodes for security migrator You can merge this pull request into a Git repository by running: $ git pull https://github.com/simplesteph/kafka fix-security-migrator-tool Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/2655.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2655 ---- commit d8c48067e4a0b93a48c8c83f830268199af0c8c9 Author: simplesteph <stephane.maa...@gmail.com> Date: 2017-03-08T06:19:21Z [KAFKA-4864] added correct zookeeper nodes for security migrator ---- > Kafka Secure Migrator tool doesn't secure all the nodes > ------------------------------------------------------- > > Key: KAFKA-4864 > URL: https://issues.apache.org/jira/browse/KAFKA-4864 > Project: Kafka > Issue Type: Bug > Affects Versions: 0.10.1.0, 0.10.1.1, 0.10.2.0 > Reporter: Stephane Maarek > Priority: Critical > > It seems that the secure nodes as referred by ZkUtils.scala are the following: > https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/utils/ZkUtils.scala#L201 > A couple things: > - the list is highly outdated, and for example the most important nodes such > as kafka-acls don't get secured. That's a huge security risk. Would it be > better to just secure all the nodes recursively from the given root? > - the root of some nodes aren't secured. Ex: /brokers (but many others). > The result is the following after running the tool: > zookeeper-security-migration --zookeeper.acl secure --zookeeper.connect > zoo1:2181/kafka-test > [zk: localhost:2181(CONNECTED) 9] getAcl /kafka-test/brokers > 'world,'anyone > : cdrwa > [zk: localhost:2181(CONNECTED) 11] getAcl /kafka-test/brokers/ids > 'world,'anyone > : r > 'sasl,'myzkcli...@example.com > : cdrwa > [zk: localhost:2181(CONNECTED) 16] getAcl /kafka-test/kafka-acl > 'world,'anyone > : cdrwa > That seems pretty bad to be honest... A fast enough ZkClient could delete > some root nodes, and create the nodes they like before the Acls get set. -- This message was sent by Atlassian JIRA (v6.3.15#6346)