[jira] [Commented] (KAFKA-4864) Kafka Secure Migrator tool doesn't secure all the nodes

Tue, 07 Mar 2017 22:22:02 -0800 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900780#comment-15900780
 ] 

ASF GitHub Bot commented on KAFKA-4864:
---------------------------------------

GitHub user simplesteph opened a pull request:

    https://github.com/apache/kafka/pull/2655

    KAFKA-4864 added correct zookeeper nodes for security migrator

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/simplesteph/kafka fix-security-migrator-tool

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/2655.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2655
    
----
commit d8c48067e4a0b93a48c8c83f830268199af0c8c9
Author: simplesteph <stephane.maa...@gmail.com>
Date:   2017-03-08T06:19:21Z

    [KAFKA-4864] added correct zookeeper nodes for security migrator

----


> Kafka Secure Migrator tool doesn't secure all the nodes
> -------------------------------------------------------
>
>                 Key: KAFKA-4864
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4864
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 0.10.1.0, 0.10.1.1, 0.10.2.0
>            Reporter: Stephane Maarek
>            Priority: Critical
>
> It seems that the secure nodes as referred by ZkUtils.scala are the following:
> https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/utils/ZkUtils.scala#L201
> A couple things:
> - the list is highly outdated, and for example the most important nodes such 
> as kafka-acls don't get secured. That's a huge security risk. Would it be 
> better to just secure all the nodes recursively from the given root?
> - the root of some nodes aren't secured. Ex: /brokers (but many others).
> The result is the following after running the tool:
> zookeeper-security-migration --zookeeper.acl secure --zookeeper.connect 
> zoo1:2181/kafka-test
> [zk: localhost:2181(CONNECTED) 9] getAcl /kafka-test/brokers
> 'world,'anyone
> : cdrwa
> [zk: localhost:2181(CONNECTED) 11] getAcl /kafka-test/brokers/ids
> 'world,'anyone
> : r
> 'sasl,'myzkcli...@example.com
> : cdrwa
> [zk: localhost:2181(CONNECTED) 16] getAcl /kafka-test/kafka-acl
> 'world,'anyone
> : cdrwa
> That seems pretty bad to be honest... A fast enough ZkClient could delete 
> some root nodes, and create the nodes they like before the Acls get set. 



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to