[jira] [Commented] (KAFKA-4943) SCRAM secret's should be better protected with Zookeeper ACLs

Thu, 23 Mar 2017 09:39:07 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15938726#comment-15938726
 ] 

Rajini Sivaram commented on KAFKA-4943:
---------------------------------------

The current SCRAM implementation uses the default ACL settings for Kafka with 
the expectation that SCRAM credentials are stored in Zookeeper only in 
installations where Zookeeper is safe (secure disk, network segmentation to 
restrict access etc.). Since ZK traffic is not encrypted, is would be unsafe to 
use ZK as the credential store in clusters where ZK is not fully secure. KIP-86 
(https://cwiki.apache.org/confluence/display/KAFKA/KIP-86%3A+Configurable+SASL+callback+handlers)
 will enable a pluggable credential store for environments where ZK is 
insecure. Having said that, we could probably do better for the default case as 
suggested here.

> SCRAM secret's should be better protected with Zookeeper ACLs
> -------------------------------------------------------------
>
>                 Key: KAFKA-4943
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4943
>             Project: Kafka
>          Issue Type: Improvement
>            Reporter: Johan Ström
>
> With the new SCRAM authenticator the secrets are stored in Zookeeper:
> {code}
> get /kafka/config/users/alice
> {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}}
> {code}
> These are stored without any ACL, and zookeeper-security-migration.sh does 
> not seem to change that either:
> {code}
> getAcl /kafka/config/users/alice
> 'world,'anyone
> : cdrwa
> getAcl /kafka/config/users
> 'world,'anyone
> : cdrwa
> getAcl /kafka
> 'world,'anyone
> : r
> 'sasl,'bob
> : cdrwa
> getAcl /kafka/config/changes
> 'world,'anyone
> : r
> 'sasl,'bob
> : cdrwa
> {code}
> The above output is after running security migrator, for some reason 
> /kafka/config/users is ignored, but others are fixed..
> Even if these where to be stored with secure ZkUtils#DefaultAcls, they would 
> be world readable.
> From my (limited) point of view, they should be readable by Kafka only.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to