[
https://issues.apache.org/jira/browse/KAFKA-15243?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17746843#comment-17746843
]
Sergio Troiano commented on KAFKA-15243:
----------------------------------------
[~omkreddy] ,
Thanks for the quick reply,One more comment, long time ago when we were running
old Kafka version I saw the users were able to create the users with "@" and
they re still present in ZK, it seems at some point we added the Sanitizer and
this broke compatibility. but this is just a detail.
For us the current bug is a problem as we have an API to allow the clients to
manage their users, the problem is we rely on listing them to check if they
exist, so for example if you create user@user and then you want to change the
password we first check if it exists and then we have the problem.
I will send the PR. Should I create a KIP for this? or can I send the PR here
as it is a quick change ? cheers
> User creation mismatch
> ----------------------
>
> Key: KAFKA-15243
> URL: https://issues.apache.org/jira/browse/KAFKA-15243
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 3.3.2
> Reporter: Sergio Troiano
> Assignee: Sergio Troiano
> Priority: Major
> Labels: kafka-source
>
> We found the Kafka users were not created properly, so let's suppose we
> create the user [myu...@myuser.com|mailto:myu...@myuser.com]
>
> COMMAND:
> {code:java}
> /etc/new_kafka/bin/kafka-configs.sh --bootstrap-server localhost:9092
> --alter --add-config
> 'SCRAM-SHA-256=[iterations=4096,password=blabla],SCRAM-SHA-256=[password=blabla]'
> --entity-type users --entity-name myu...@myuser.com{code}
> RESPONSE:
> {code:java}
> Completed updating config for user myu...@myuser.com{code}
> When listing the users I see the user was created as an encoded string
> COMMAND
> {code:java}
> kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type
> users|grep myuser {code}
> RESPONSE
> {code:java}
> SCRAM credential configs for user-principal 'myuser%40myuser.com' are
> SCRAM-SHA-256=iterations=8192, SCRAM-SHA-512=iterations=4096 {code}
>
> So basically the user is being "sanitized" and giving a false OK to the user
> requester. The user requested does not exist as it should, it creates the
> encoded one instead.
>
> I dug deep in the code until I found this is happening in the
> ZkAdminManager.scala in this line
>
> {code:java}
> adminZkClient.changeConfigs(ConfigType.User, Sanitizer.sanitize(user),
> configsByPotentiallyValidUser(user)) {code}
> So removing the Sanitizer fix the problem, but I have a couple of doubts
> I checked we Sanitize because of some JMX metrics, but in this case I don't
> know if this is really needed, supossing this is needed I think we should
> forbid to create users with characters that will be encoded.
> Even worse after creating an user in general we create ACLs and they are
> created properly without encoding the characters, this creates a mismatch
> between the user and the ACLs.
>
>
> So I can work on fixing this, but I think we need to decide :
>
> A) We forbid to create users with characters that will be encoded, so we fail
> in the user creation step.
>
> B) We allow the user creation with special characters and remove the
> Sanitizer.sanitize(user) from the 2 places where it shows up in the file
> ZkAdminManager.scala
>
>
> And of course if we go for B we need to create the tests.
> Please let me know what you think and i can work on it
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
