[
https://issues.apache.org/jira/browse/KAFKA-12866?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Igor Soarez updated KAFKA-12866:
--------------------------------
Description:
When a Zookeeper chroot is configured, users do not expect Kafka to need
Zookeeper access outside of that chroot.
h1. Why is this important?
A zookeeper cluster may be shared with other Kafka clusters or even other
applications. It is an expected security practice to restrict each
cluster/application's access to it's own Zookeeper chroot.
h1. Steps to reproduce
h2. Zookeeper setup
Using the zkCli, create a chroot for Kafka, make it available to Kafka but lock
the root znode.
{code:java}
[zk: localhost:2181(CONNECTED) 1] create /somechroot
Created /some
[zk: localhost:2181(CONNECTED) 2] setAcl /somechroot world:anyone:cdrwa
[zk: localhost:2181(CONNECTED) 3] addauth digest test:12345
[zk: localhost:2181(CONNECTED) 4] setAcl /
digest:test:Mx1uO9GLtm1qaVAQ20Vh9ODgACg=:cdrwa{code}
h2. Kafka setup
Configure the chroot in broker.properties:
{code:java}
zookeeper.connect=localhost:2181/somechroot{code}
h2. Expected behavior
The expected behavior here is that Kafka will use the chroot without issues.
h2. Actual result
Kafka fails to start with a fatal exception:
{code:java}
org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
NoAuth for /chroot
at org.apache.zookeeper.KeeperException.create(KeeperException.java:120)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)
at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:583)
at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1729)
at
kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1627)
at kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1957)
at
kafka.zk.ZkClientAclTest.testChrootExistsAndRootIsLocked(ZkClientAclTest.scala:60)
{code}
was:
When a Zookeeper chroot is configured, users do not expect Kafka to need
Zookeeper access outside of that chroot.
h1. Why is this important?
A zookeeper cluster may be shared with other Kafka clusters or even other
applications. It is an expected security practice to restrict each
cluster/application's access to it's own Zookeeper chroot.
h1. Steps to reproduce
h2. Zookeeper setup
Using the zkCli, create a chroot for Kafka, make it available to Kafka but lock
the root znode.
{{ [zk: localhost:2181(CONNECTED) 1] create /somechroot }}
{{ Created /some}}
{{ [zk: localhost:2181(CONNECTED) 2] setAcl /somechroot world:anyone:cdrwa}}
{{ [zk: localhost:2181(CONNECTED) 3] addauth digest test:12345}}
{{ [zk: localhost:2181(CONNECTED) 4] setAcl /
digest:test:Mx1uO9GLtm1qaVAQ20Vh9ODgACg=:cdrwa}}
h2. Kafka setup
Configure the chroot in broker.properties:
{{zookeeper.connect=localhost:2181/somechroot}}
h2. Expected behavior
The expected behavior here is that Kafka will use the chroot without issues.
h2. Actual result
Kafka fails to start with a fatal exception:
{{ org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
NoAuth for /chroot}}
{{ at org.apache.zookeeper.KeeperException.create(KeeperException.java:120)}}
{{ at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)}}
{{ at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:583)}}
{{ at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1729)}}
{{ at
kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1627)}}
{{ at kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1957)}}
{{ at
kafka.zk.ZkClientAclTest.testChrootExistsAndRootIsLocked(ZkClientAclTest.scala:60)}}
> Kafka requires ZK root access even when using a chroot
> ------------------------------------------------------
>
> Key: KAFKA-12866
> URL: https://issues.apache.org/jira/browse/KAFKA-12866
> Project: Kafka
> Issue Type: Bug
> Components: core, zkclient
> Affects Versions: 2.6.1, 2.8.0, 2.7.1, 2.6.2
> Reporter: Igor Soarez
> Priority: Major
>
> When a Zookeeper chroot is configured, users do not expect Kafka to need
> Zookeeper access outside of that chroot.
> h1. Why is this important?
> A zookeeper cluster may be shared with other Kafka clusters or even other
> applications. It is an expected security practice to restrict each
> cluster/application's access to it's own Zookeeper chroot.
> h1. Steps to reproduce
> h2. Zookeeper setup
> Using the zkCli, create a chroot for Kafka, make it available to Kafka but
> lock the root znode.
>
> {code:java}
> [zk: localhost:2181(CONNECTED) 1] create /somechroot
> Created /some
> [zk: localhost:2181(CONNECTED) 2] setAcl /somechroot world:anyone:cdrwa
> [zk: localhost:2181(CONNECTED) 3] addauth digest test:12345
> [zk: localhost:2181(CONNECTED) 4] setAcl /
> digest:test:Mx1uO9GLtm1qaVAQ20Vh9ODgACg=:cdrwa{code}
>
> h2. Kafka setup
> Configure the chroot in broker.properties:
>
> {code:java}
> zookeeper.connect=localhost:2181/somechroot{code}
>
>
> h2. Expected behavior
> The expected behavior here is that Kafka will use the chroot without issues.
> h2. Actual result
> Kafka fails to start with a fatal exception:
> {code:java}
> org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode =
> NoAuth for /chroot
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:120)
> at
> org.apache.zookeeper.KeeperException.create(KeeperException.java:54)
> at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:583)
> at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1729)
> at
> kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1627)
> at kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1957)
> at
> kafka.zk.ZkClientAclTest.testChrootExistsAndRootIsLocked(ZkClientAclTest.scala:60)
> {code}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
