[jira] [Commented] (KAFKA-4814) ZookeeperLeaderElector not respecting zookeeper.set.acl

Wed, 12 Apr 2017 05:48:56 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15965775#comment-15965775
 ] 

ASF GitHub Bot commented on KAFKA-4814:
---------------------------------------

GitHub user rajinisivaram opened a pull request:

    https://github.com/apache/kafka/pull/2845

    KAFKA-4814: Enable ZK ACLs only when zookeeper.set.acl is set

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/rajinisivaram/kafka KAFKA-4814

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/2845.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2845
    
----
commit b4c8614fa6faaba40ec878919bf2314a17736493
Author: Rajini Sivaram <rajinisiva...@googlemail.com>
Date:   2017-04-12T12:28:06Z

    KAFKA-4814: Enable ZK ACLs only when zookeeper.set.acl is set

----


> ZookeeperLeaderElector not respecting zookeeper.set.acl
> -------------------------------------------------------
>
>                 Key: KAFKA-4814
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4814
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.10.1.1
>            Reporter: Stevo Slavic
>            Assignee: Rajini Sivaram
>              Labels: newbie
>             Fix For: 0.11.0.0
>
>
> By [migration 
> guide|https://kafka.apache.org/documentation/#zk_authz_migration] for 
> enabling ZooKeeper security on an existing Apache Kafka cluster, and [broker 
> configuration 
> documentation|https://kafka.apache.org/documentation/#brokerconfigs] for 
> {{zookeeper.set.acl}} configuration property, when this property is set to 
> false Kafka brokers should not be setting any ACLs on ZooKeeper nodes, even 
> when JAAS config file is provisioned to broker. 
> Problem is that there is broker side logic, like one in 
> {{ZookeeperLeaderElector}} making use of {{JaasUtils#isZkSecurityEnabled}}, 
> which does not respect this configuration property, resulting in ACLs being 
> set even when there's just JAAS config file provisioned to Kafka broker while 
> {{zookeeper.set.acl}} is set to {{false}}.
> Notice that {{JaasUtils}} is in {{org.apache.kafka.common.security}} package 
> of {{kafka-clients}} module, while {{zookeeper.set.acl}} is broker side only 
> configuration property.
> To make it possible without downtime to enable ZooKeeper authentication on 
> existing cluster, it should be possible to have all Kafka brokers in cluster 
> first authenticate to ZooKeeper cluster, without ACLs being set. Only once 
> all ZooKeeper clients (Kafka brokers and others) are authenticating to 
> ZooKeeper cluster then ACLs can be started being set.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to