[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7

Mon, 10 Feb 2020 08:28:31 -0800 


    [ 
https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17033729#comment-17033729
 ] 

Ron Dagostino commented on KAFKA-9515:
--------------------------------------

ZooKeeper 3.5.7 also adds support for the "ssl.clientAuth=[want|need|none]" 
configuration on the ZooKeeper server side.  This means with v3.5.7 client 
certificates become optional (they are required in 3.5.6, which is what shipped 
with AK 2.4 and what will ship with AK 2.5).  As per [this GitHub PR 
conversation for KIP 
515|https://github.com/apache/kafka/pull/8003#discussion_r376476887] (text 
adjusted abit now that we have more info):

"We need to decide in 3 places (KafkaServer, ConfigCommand, and 
ZkSecurityMigrator) whether or not the ZooKeeper client should generate ACls in 
ZooKeeper when creating znodes. Prior to the possibility of x509 authentication 
it was easy to decide: was SASL enabled to ZooKeeper or not. Now it is 
supported for SASL to not be enabled but x509 auth to be enabled -- and in that 
case we want to generate ACLs. So in the 3 cases we have to look for this 
possibility. I agree it is entirely possible that ZooKeeper might not 
authenticate the client -- technically in ZK 3.5.6 it is not possible to turn 
that off, but it will be possible in ZK 3.5.7 and beyond. So while with 
ZooKeeper 3.5.6 it isn't an issue, at some point in the future it will be. It 
is possible that ZK might ignore the client certificate, we might generate 
ACLs, and those ACLs might grant access to World. One idea to avoid this is to 
make the connection with ACls enabled, create a random temporary znode, read 
the ACls, and check if it is world-enabled; then abort at that point if it is. 
It would probably be a good idea to add this when we upgrade to ZooKeeper 
3.5.7."


> Upgrade ZooKeeper to 3.5.7
> --------------------------
>
>                 Key: KAFKA-9515
>                 URL: https://issues.apache.org/jira/browse/KAFKA-9515
>             Project: Kafka
>          Issue Type: Improvement
>            Reporter: Ismael Juma
>            Assignee: Ismael Juma
>            Priority: Blocker
>             Fix For: 2.5.0, 2.4.1
>
>
> There are some critical fixes in ZK 3.5.7 and the first RC has been posted:
> [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to