[ https://issues.apache.org/jira/browse/KAFKA-4943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15939916#comment-15939916 ]
Stephane Maarek commented on KAFKA-4943: ---------------------------------------- [~rsivaram] if Zookeeper has only cdrwa by the kafka broker, and just no world : r permission, wouldn't that fix any concerns with a world-opened zookeeper? > SCRAM secret's should be better protected with Zookeeper ACLs > ------------------------------------------------------------- > > Key: KAFKA-4943 > URL: https://issues.apache.org/jira/browse/KAFKA-4943 > Project: Kafka > Issue Type: Improvement > Reporter: Johan Ström > > With the new SCRAM authenticator the secrets are stored in Zookeeper: > {code} > get /kafka/config/users/alice > {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}} > {code} > These are stored without any ACL, and zookeeper-security-migration.sh does > not seem to change that either: > {code} > getAcl /kafka/config/users/alice > 'world,'anyone > : cdrwa > getAcl /kafka/config/users > 'world,'anyone > : cdrwa > getAcl /kafka > 'world,'anyone > : r > 'sasl,'bob > : cdrwa > getAcl /kafka/config/changes > 'world,'anyone > : r > 'sasl,'bob > : cdrwa > {code} > The above output is after running security migrator, for some reason > /kafka/config/users is ignored, but others are fixed.. > Even if these where to be stored with secure ZkUtils#DefaultAcls, they would > be world readable. > From my (limited) point of view, they should be readable by Kafka only. -- This message was sent by Atlassian JIRA (v6.3.15#6346)