[
https://issues.apache.org/jira/browse/KAFKA-4814?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15953384#comment-15953384
]
Balint Molnar commented on KAFKA-4814:
--------------------------------------
[~ijuma] Something odd happening here, or I don't understand something. There
is a ZkUtils constructor where we have a parameter isZkSecurityEnabled
https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/utils/ZkUtils.scala#L80
. We are giving value to this parameter from two different? thing. First we
are using the zookeeper.set.acl value for example in class
https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaServer.scala#L325
and we are also using the JaasUtils.isZkSecurityEnabled method for example in
https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/ConfigCommand.scala#L61
I think these are separate things which we need to handle differently. Or am I
missing something here?
> ZookeeperLeaderElector not respecting zookeeper.set.acl
> -------------------------------------------------------
>
> Key: KAFKA-4814
> URL: https://issues.apache.org/jira/browse/KAFKA-4814
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.10.1.1
> Reporter: Stevo Slavic
> Assignee: Balint Molnar
> Labels: newbie
> Fix For: 0.11.0.0, 0.10.2.1
>
>
> By [migration
> guide|https://kafka.apache.org/documentation/#zk_authz_migration] for
> enabling ZooKeeper security on an existing Apache Kafka cluster, and [broker
> configuration
> documentation|https://kafka.apache.org/documentation/#brokerconfigs] for
> {{zookeeper.set.acl}} configuration property, when this property is set to
> false Kafka brokers should not be setting any ACLs on ZooKeeper nodes, even
> when JAAS config file is provisioned to broker.
> Problem is that there is broker side logic, like one in
> {{ZookeeperLeaderElector}} making use of {{JaasUtils#isZkSecurityEnabled}},
> which does not respect this configuration property, resulting in ACLs being
> set even when there's just JAAS config file provisioned to Kafka broker while
> {{zookeeper.set.acl}} is set to {{false}}.
> Notice that {{JaasUtils}} is in {{org.apache.kafka.common.security}} package
> of {{kafka-clients}} module, while {{zookeeper.set.acl}} is broker side only
> configuration property.
> To make it possible without downtime to enable ZooKeeper authentication on
> existing cluster, it should be possible to have all Kafka brokers in cluster
> first authenticate to ZooKeeper cluster, without ACLs being set. Only once
> all ZooKeeper clients (Kafka brokers and others) are authenticating to
> ZooKeeper cluster then ACLs can be started being set.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
