[ https://issues.apache.org/jira/browse/KAFKA-15243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sergio Troiano updated KAFKA-15243: ----------------------------------- Component/s: core > User creation mismatch > ---------------------- > > Key: KAFKA-15243 > URL: https://issues.apache.org/jira/browse/KAFKA-15243 > Project: Kafka > Issue Type: Bug > Components: core > Affects Versions: 3.3.2 > Reporter: Sergio Troiano > Assignee: Sergio Troiano > Priority: Major > Labels: kafka-source > > We found the Kafka users were not created properly, so let's suppose we > create the user [myu...@myuser.com|mailto:myu...@myuser.com] > > COMMAND: > {code:java} > /etc/new_kafka/bin/kafka-configs.sh --bootstrap-server localhost:9092 > --alter --add-config > 'SCRAM-SHA-256=[iterations=4096,password=blabla],SCRAM-SHA-256=[password=blabla]' > --entity-type users --entity-name myu...@myuser.com{code} > RESPONSE: > {code:java} > Completed updating config for user myu...@myuser.com{code} > When listing the users I see the user was created as an encoded string > COMMAND > {code:java} > kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type > users|grep myuser {code} > RESPONSE > {code:java} > SCRAM credential configs for user-principal 'myuser%40myuser.com' are > SCRAM-SHA-256=iterations=8192, SCRAM-SHA-512=iterations=4096 {code} > > So basically the user is being "sanitized" and giving a false OK to the user > requester. The user requested does not exist as it should, it creates the > encoded one instead. > > I dug deep in the code until I found this is happening in the > ZkAdminManager.scala in this line > > {code:java} > adminZkClient.changeConfigs(ConfigType.User, Sanitizer.sanitize(user), > configsByPotentiallyValidUser(user)) {code} > So removing the Sanitizer fix the problem, but I have a couple of doubts > I checked we Sanitize because of some JMX metrics, but in this case I don't > know if this is really needed, supossing this is needed I think we should > forbid to create users with characters that will be encoded. > Even worse after creating an user in general we create ACLs and they are > created properly without encoding the characters, this creates a mismatch > between the user and the ACLs. > > > So I can work on fixing this, but I think we need to decide : > > A) We forbid to create users with characters that will be encoded, so we fail > in the user creation step. > > B) We allow the user creation with special characters and remove the > Sanitizer.sanitize(user) from the 2 places where it shows up in the file > ZkAdminManager.scala > > > And of course if we go for B we need to create the tests. > Please let me know what you think and i can work on it -- This message was sent by Atlassian Jira (v8.20.10#820010)