[ https://issues.apache.org/jira/browse/KAFKA-7752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16726830#comment-16726830 ]
Attila Sasvari commented on KAFKA-7752: --------------------------------------- In kafka.zk.ZkData class, ZkAclStore.securePaths contains the following paths {code} 0 = "/kafka-acl" 1 = "/kafka-acl-changes" 2 = "/kafka-acl-extended/prefixed" 3 = "/kafka-acl-extended-changes" {code} When the migrator tool runs, ZkUtils.SecureZkRootPaths contains: {code} result = {$colon$colon@2669} "::" size = 14 0 = "/admin" 1 = "/brokers" 2 = "/cluster" 3 = "/config" 4 = "/controller" 5 = "/controller_epoch" 6 = "/isr_change_notification" 7 = "/latest_producer_id_block" 8 = "/log_dir_event_notification" 9 = "/delegation_token" 10 = "/kafka-acl" 11 = "/kafka-acl-changes" 12 = "/kafka-acl-extended/prefixed" 13 = "/kafka-acl-extended-changes" {code} Then the code recursively travels these paths and set ACL on all the child znodes. As a result, {{/kafka-acl-extended}} is missed. > zookeeper-security-migration.sh does not remove ACL on kafka-acl-extended > ------------------------------------------------------------------------- > > Key: KAFKA-7752 > URL: https://issues.apache.org/jira/browse/KAFKA-7752 > Project: Kafka > Issue Type: Bug > Components: tools > Affects Versions: 2.0.0 > Reporter: Attila Sasvari > Assignee: Attila Sasvari > Priority: Major > > Executed {{zookeeper-security-migration.sh --zookeeper.connect $(hostname > -f):2181/kafka --zookeeper.acl secure}} to secure Kafka znodes and then > {{zookeeper-security-migration.sh --zookeeper.connect $(hostname > -f):2181/kafka --zookeeper.acl unsecure}} to unsecure those. > I noticed that the tool did not remove ACLs on certain nodes: > {code} > ] getAcl /kafka/kafka-acl-extended > 'world,'anyone > : r > 'sasl,'kafka > : cdrwa > {code} -- This message was sent by Atlassian JIRA (v7.6.3#76005)