[jira] [Created] (KAFKA-12866) Kafka requires ZK root access even when using a chroot

Sun, 30 May 2021 07:35:10 -0700 

Igor Soarez created KAFKA-12866:
-----------------------------------

             Summary: Kafka requires ZK root access even when using a chroot
                 Key: KAFKA-12866
                 URL: https://issues.apache.org/jira/browse/KAFKA-12866
             Project: Kafka
          Issue Type: Bug
          Components: core, zkclient
    Affects Versions: 2.6.2, 2.7.1, 2.8.0, 2.6.1
            Reporter: Igor Soarez


When a Zookeeper chroot is configured, users do not expect Kafka to need 
Zookeeper access outside of that chroot.
h1. Why is this important?

A zookeeper cluster may be shared with other Kafka clusters or even other 
applications. It is an expected security practice to restrict each 
cluster/application's access to it's own Zookeeper chroot.
h1. Steps to reproduce
h2. Zookeeper setup

Using the zkCli, create a chroot for Kafka, make it available to Kafka but lock 
the root znode.

{{ [zk: localhost:2181(CONNECTED) 1] create /somechroot }}
{{ Created /some}}
{{ [zk: localhost:2181(CONNECTED) 2] setAcl /somechroot world:anyone:cdrwa}}
{{ [zk: localhost:2181(CONNECTED) 3] addauth digest test:12345}}
{{ [zk: localhost:2181(CONNECTED) 4] setAcl / 
digest:test:Mx1uO9GLtm1qaVAQ20Vh9ODgACg=:cdrwa}}
h2. Kafka setup

Configure the chroot in broker.properties:

{{zookeeper.connect=localhost:2181/somechroot}}
h2. Expected behavior

The expected behavior here is that Kafka will use the chroot without issues.
h2. Actual result

Kafka fails to start with a fatal exception:

{{ org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = 
NoAuth for /chroot}}
{{ at org.apache.zookeeper.KeeperException.create(KeeperException.java:120)}}
{{ at org.apache.zookeeper.KeeperException.create(KeeperException.java:54)}}
{{ at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:583)}}
{{ at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1729)}}
{{ at 
kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1627)}}
{{ at kafka.zk.KafkaZkClient$.apply(KafkaZkClient.scala:1957)}}
{{ at 
kafka.zk.ZkClientAclTest.testChrootExistsAndRootIsLocked(ZkClientAclTest.scala:60)}}

 

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to