kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Anderson <rockclimbings...@gmail.com>
Subject Fwd: Authentication using SASL/Kerberos and znode permissions
Date Thu, 30 Mar 2017 20:17:31 GMT
Hello,

I've implemented Authentication using SASL/Kerberos, on
kafka_2.12-0.10.2.0.  Everything is working fine, however, I've noticed
that the kafka-acl znode is world readable / writable.  So, couldn't anyone
just bypass security by modifying the znode via zookeeper, granting their
principle access to a given topic?  You could also just delete the znode,
which would remove all of the defined acls.

I do see permissions are proper on other znodes, for example
/brokers/topics/__consumer_offsets.  Am I missing something?  Are admins
manually tweaking permissions on the  kafka-acl znode, to prevent this?
 Any information you can offer is appreciated.

Thanks,

Rob
Acl set:

[zk: kafka01.hadoop.test.com(CONNECTED) 15] getAcl /kafka-acl

'world,'anyone

: cdrwa


[zk: kafka01.hadoop.test.com(CONNECTED) 22] getAcl
/brokers/topics/__consumer_offsets

'world,'anyone

: r

'sasl,'kafka-client@HADOOP.TEST.COM

: cdrwa

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message