[
https://issues.apache.org/jira/browse/KAFKA-4943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15939888#comment-15939888
]
Johan Ström commented on KAFKA-4943:
------------------------------------
I agree, it won't be totally secure unless Zk is totally secure, but this more
or less requires that the Zk instance is dedicated to only Kafka in order to be
"secure". In my current setup I have a "secure" Zk, in terms of private
networks etc, but there are still other (legit) applications which have access
to their parts of the Zookeeper tree. No need for them to be able to snoop on
all SCRAM credentials, even if there are some other potential attack vectors if
they happen to be on the network close to the brokers/zk servers.
So yes, looking forward to some tighter ACLs :)
If not (or until fixed), this should be mentioned in the docs, as they
currently have the following phrase:
"The metadata stored in ZooKeeper for the Kafka cluster is world-readable, but
can only be modified by the brokers. The rationale behind this decision is that
the data stored in ZooKeeper is not sensitive, but inappropriate manipulation
of that data can cause cluster disruption."
> SCRAM secret's should be better protected with Zookeeper ACLs
> -------------------------------------------------------------
>
> Key: KAFKA-4943
> URL: https://issues.apache.org/jira/browse/KAFKA-4943
> Project: Kafka
> Issue Type: Improvement
> Reporter: Johan Ström
>
> With the new SCRAM authenticator the secrets are stored in Zookeeper:
> {code}
> get /kafka/config/users/alice
> {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}}
> {code}
> These are stored without any ACL, and zookeeper-security-migration.sh does
> not seem to change that either:
> {code}
> getAcl /kafka/config/users/alice
> 'world,'anyone
> : cdrwa
> getAcl /kafka/config/users
> 'world,'anyone
> : cdrwa
> getAcl /kafka
> 'world,'anyone
> : r
> 'sasl,'bob
> : cdrwa
> getAcl /kafka/config/changes
> 'world,'anyone
> : r
> 'sasl,'bob
> : cdrwa
> {code}
> The above output is after running security migrator, for some reason
> /kafka/config/users is ignored, but others are fixed..
> Even if these where to be stored with secure ZkUtils#DefaultAcls, they would
> be world readable.
> From my (limited) point of view, they should be readable by Kafka only.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
