[
https://issues.apache.org/jira/browse/KAFKA-15243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17746794#comment-17746794
]
Manikumar edited comment on KAFKA-15243 at 7/25/23 6:26 AM:
------------------------------------------------------------
[~sergio_troi...@hotmail.com] We sanitize the names because some characters
are not allowed in Zookeeper paths. We sanitize the names using
`Sanitizer.sanitize(user)` before storing in ZK and use `Sanitizer.desanitize`
after reading from ZK.
In this case, it looks like a bug when calling describe all user scram configs
(`--entity-type users`). We are returning sanitized names in the response here
[https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/ZkAdminManager.scala#L851]
. We should rerun desanitized names
was (Author: omkreddy):
[Sergio
Troiano|https://mail.google.com/jira/secure/ViewProfile.jspa?name=sergio_troiano%40hotmail.com]
We sanitize the names because some characters are not allowed in Zookeeper
paths. We sanitize the names using `Sanitizer.sanitize(user)` before storing in
ZK and use `Sanitizer.desanitize` after reading from ZK.
In this case, it looks like a bug when calling describe all user scram configs
(`--entity-type users`). We are returning sanitized names in the response here
[https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/ZkAdminManager.scala#L851]
. We should rerun desanitized names
> User creation mismatch
> ----------------------
>
> Key: KAFKA-15243
> URL: https://issues.apache.org/jira/browse/KAFKA-15243
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 3.3.2
> Reporter: Sergio Troiano
> Assignee: Sergio Troiano
> Priority: Major
> Labels: kafka-source
>
> We found the Kafka users were not created properly, so let's suppose we
> create the user [myu...@myuser.com|mailto:myu...@myuser.com]
>
> COMMAND:
> {code:java}
> /etc/new_kafka/bin/kafka-configs.sh --bootstrap-server localhost:9092
> --alter --add-config
> 'SCRAM-SHA-256=[iterations=4096,password=blabla],SCRAM-SHA-256=[password=blabla]'
> --entity-type users --entity-name myu...@myuser.com{code}
> RESPONSE:
> {code:java}
> Completed updating config for user myu...@myuser.com{code}
> When listing the users I see the user was created as an encoded string
> COMMAND
> {code:java}
> kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type
> users|grep myuser {code}
> RESPONSE
> {code:java}
> SCRAM credential configs for user-principal 'myuser%40myuser.com' are
> SCRAM-SHA-256=iterations=8192, SCRAM-SHA-512=iterations=4096 {code}
>
> So basically the user is being "sanitized" and giving a false OK to the user
> requester. The user requested does not exist as it should, it creates the
> encoded one instead.
>
> I dug deep in the code until I found this is happening in the
> ZkAdminManager.scala in this line
>
> {code:java}
> adminZkClient.changeConfigs(ConfigType.User, Sanitizer.sanitize(user),
> configsByPotentiallyValidUser(user)) {code}
> So removing the Sanitizer fix the problem, but I have a couple of doubts
> I checked we Sanitize because of some JMX metrics, but in this case I don't
> know if this is really needed, supossing this is needed I think we should
> forbid to create users with characters that will be encoded.
> Even worse after creating an user in general we create ACLs and they are
> created properly without encoding the characters, this creates a mismatch
> between the user and the ACLs.
>
>
> So I can work on fixing this, but I think we need to decide :
>
> A) We forbid to create users with characters that will be encoded, so we fail
> in the user creation step.
>
> B) We allow the user creation with special characters and remove the
> Sanitizer.sanitize(user) from the 2 places where it shows up in the file
> ZkAdminManager.scala
>
>
> And of course if we go for B we need to create the tests.
> Please let me know what you think and i can work on it
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
