[jira] [Commented] (KAFKA-4943) SCRAM secret's should be better protected with Zookeeper ACLs

Fri, 24 Mar 2017 11:00:06 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4943?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15940828#comment-15940828
 ] 

ASF GitHub Bot commented on KAFKA-4943:
---------------------------------------

GitHub user rajinisivaram opened a pull request:

    https://github.com/apache/kafka/pull/2733

    KAFKA-4943: Make /config/users with SCRAM credentials not world-readable

    

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/rajinisivaram/kafka KAFKA-4943

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/2733.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #2733
    
----
commit 8ab3c5ab5787e795bff779354ad34ca1921107a1
Author: Rajini Sivaram <rajinisiva...@googlemail.com>
Date:   2017-03-24T15:44:49Z

    KAFKA-4943: Make /config/users with SCRAM credentials not world-readable

----


> SCRAM secret's should be better protected with Zookeeper ACLs
> -------------------------------------------------------------
>
>                 Key: KAFKA-4943
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4943
>             Project: Kafka
>          Issue Type: Improvement
>            Reporter: Johan Ström
>            Assignee: Rajini Sivaram
>
> With the new SCRAM authenticator the secrets are stored in Zookeeper:
> {code}
> get /kafka/config/users/alice
> {"version":1,"config":{"SCRAM-SHA-512":"salt=ODhnZjNkdWZibTV1cG1zdnV6bmh6djF3Mg==,stored_key=BAbHWHuGEb4m5+U+p0M9oFQmOPhU6M7q5jtZY8deDDoZCvxaqVNLz41yPzdgcp1WpiEBmfwYOuFlo9hMFKM7mA==,server_key=JW3KhpMeyUgh0OAC0kejuFUvUSlXBv/Z68tlfOWcMw5f5jrBwyBnjNQ9VZsSYz1AcI9IYaQ5S6H3yN39SieNiA==,iterations=4096"}}
> {code}
> These are stored without any ACL, and zookeeper-security-migration.sh does 
> not seem to change that either:
> {code}
> getAcl /kafka/config/users/alice
> 'world,'anyone
> : cdrwa
> getAcl /kafka/config/users
> 'world,'anyone
> : cdrwa
> getAcl /kafka
> 'world,'anyone
> : r
> 'sasl,'bob
> : cdrwa
> getAcl /kafka/config/changes
> 'world,'anyone
> : r
> 'sasl,'bob
> : cdrwa
> {code}
> The above output is after running security migrator, for some reason 
> /kafka/config/users is ignored, but others are fixed..
> Even if these where to be stored with secure ZkUtils#DefaultAcls, they would 
> be world readable.
> From my (limited) point of view, they should be readable by Kafka only.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to