[
https://issues.apache.org/jira/browse/KAFKA-15243?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Manikumar resolved KAFKA-15243.
-------------------------------
Fix Version/s: 3.6.0
Resolution: Fixed
> User creation mismatch
> ----------------------
>
> Key: KAFKA-15243
> URL: https://issues.apache.org/jira/browse/KAFKA-15243
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 3.3.2
> Reporter: Sergio Troiano
> Assignee: Sergio Troiano
> Priority: Major
> Labels: kafka-source
> Fix For: 3.6.0
>
>
> We found the Kafka users were not created properly, so let's suppose we
> create the user [[email protected]|mailto:[email protected]]
>
> COMMAND:
> {code:java}
> /etc/new_kafka/bin/kafka-configs.sh --bootstrap-server localhost:9092
> --alter --add-config
> 'SCRAM-SHA-256=[iterations=4096,password=blabla],SCRAM-SHA-256=[password=blabla]'
> --entity-type users --entity-name [email protected]{code}
> RESPONSE:
> {code:java}
> Completed updating config for user [email protected]{code}
> When listing the users I see the user was created as an encoded string
> COMMAND
> {code:java}
> kafka-configs.sh --bootstrap-server localhost:9092 --describe --entity-type
> users|grep myuser {code}
> RESPONSE
> {code:java}
> SCRAM credential configs for user-principal 'myuser%40myuser.com' are
> SCRAM-SHA-256=iterations=8192, SCRAM-SHA-512=iterations=4096 {code}
>
> So basically the user is being "sanitized" and giving a false OK to the user
> requester. The user requested does not exist as it should, it creates the
> encoded one instead.
>
> I dug deep in the code until I found this is happening in the
> ZkAdminManager.scala in this line
>
> {code:java}
> adminZkClient.changeConfigs(ConfigType.User, Sanitizer.sanitize(user),
> configsByPotentiallyValidUser(user)) {code}
> So removing the Sanitizer fix the problem, but I have a couple of doubts
> I checked we Sanitize because of some JMX metrics, but in this case I don't
> know if this is really needed, supossing this is needed I think we should
> forbid to create users with characters that will be encoded.
> Even worse after creating an user in general we create ACLs and they are
> created properly without encoding the characters, this creates a mismatch
> between the user and the ACLs.
>
>
> So I can work on fixing this, but I think we need to decide :
>
> A) We forbid to create users with characters that will be encoded, so we fail
> in the user creation step.
>
> B) We allow the user creation with special characters and remove the
> Sanitizer.sanitize(user) from the 2 places where it shows up in the file
> ZkAdminManager.scala
>
>
> And of course if we go for B we need to create the tests.
> Please let me know what you think and i can work on it
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
