[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033729#comment-17033729 ]
Ron Dagostino commented on KAFKA-9515: -------------------------------------- ZooKeeper 3.5.7 also adds support for the "ssl.clientAuth=[want|need|none]" configuration on the ZooKeeper server side. This means with v3.5.7 client certificates become optional (they are required in 3.5.6, which is what shipped with AK 2.4 and what will ship with AK 2.5). As per [this GitHub PR conversation for KIP 515|https://github.com/apache/kafka/pull/8003#discussion_r376476887] (text adjusted abit now that we have more info): "We need to decide in 3 places (KafkaServer, ConfigCommand, and ZkSecurityMigrator) whether or not the ZooKeeper client should generate ACls in ZooKeeper when creating znodes. Prior to the possibility of x509 authentication it was easy to decide: was SASL enabled to ZooKeeper or not. Now it is supported for SASL to not be enabled but x509 auth to be enabled -- and in that case we want to generate ACLs. So in the 3 cases we have to look for this possibility. I agree it is entirely possible that ZooKeeper might not authenticate the client -- technically in ZK 3.5.6 it is not possible to turn that off, but it will be possible in ZK 3.5.7 and beyond. So while with ZooKeeper 3.5.6 it isn't an issue, at some point in the future it will be. It is possible that ZK might ignore the client certificate, we might generate ACLs, and those ACLs might grant access to World. One idea to avoid this is to make the connection with ACls enabled, create a random temporary znode, read the ACls, and check if it is world-enabled; then abort at that point if it is. It would probably be a good idea to add this when we upgrade to ZooKeeper 3.5.7." > Upgrade ZooKeeper to 3.5.7 > -------------------------- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement > Reporter: Ismael Juma > Assignee: Ismael Juma > Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted: > [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e] -- This message was sent by Atlassian Jira (v8.3.4#803005)