[
https://issues.apache.org/jira/browse/KAFKA-12987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
chenzongyi updated KAFKA-12987:
-------------------------------
Description:
可多次用错误的密码进行访问,没有防暴力破解的 功能:
when kafka-server's properties is setted
sasl.mechanism.inter.broker.protocol=PLAIN and sasl.enabled.mechanisms=PLAIN, i
have to create sasl_plain account, such as sasl_plain_username:nvwa,
sasl_plain_password='right_password',but when i try use wrong password for
kafka-client to connected kafka-server serval times(more than 100), it's seem
don't have a mechanism to avoid brute-force.it's my code:
import ssl
import six
import json
from FSSecurity import crypt
from kafka import KafkaProducer
context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
with open('/etc/huawei/fusionsphere/kafka.kafka/cfg/kafka.kafka.cfg', 'r') as
fd:
data = json.load(fd)
right_password = crypt.decrypt(data['sasl_plain_password'])
wrong_password = right_password + '1'
PRODUCER_CONF = {'sasl_mechanism': 'PLAIN', 'security_protocol': 'SASL_SSL',
'acks': 1, 'retries': 5, 'sasl_plain_username': 'nvwa', 'bootstrap_servers':
['172.28.9.200:9092'], 'ssl_context': context, 'sasl_plain_password':
wrong_password}
count = 0
while True:
try:
count += 1
producer = KafkaProducer(**PRODUCER_CONF)
break
except:
if count == 100:
PRODUCER_CONF = {'sasl_mechanism': 'PLAIN', 'security_protocol':
'SASL_SSL', 'acks': 1, 'retries': 5, 'sasl_plain_username': 'nvwa',
'bootstrap_servers': ['172.28.9.200:9092'], 'ssl_context': context,
'sasl_plain_password': right_password}
num = 0
for i in range(10):
msgs = 'message_' + str(num)
num += 1
producer.send('czy', six.ensure_binary(msgs), partition=0).get()
print('send message success')
was:可多次用错误的密码进行访问,没有防暴力破解的 功能
> kafka用户无密码防暴力破解功能
> -----------------
>
> Key: KAFKA-12987
> URL: https://issues.apache.org/jira/browse/KAFKA-12987
> Project: Kafka
> Issue Type: Improvement
> Components: admin
> Affects Versions: 2.7.1
> Reporter: chenzongyi
> Priority: Major
>
> 可多次用错误的密码进行访问,没有防暴力破解的 功能:
> when kafka-server's properties is setted
> sasl.mechanism.inter.broker.protocol=PLAIN and sasl.enabled.mechanisms=PLAIN,
> i have to create sasl_plain account, such as sasl_plain_username:nvwa,
> sasl_plain_password='right_password',but when i try use wrong password for
> kafka-client to connected kafka-server serval times(more than 100), it's seem
> don't have a mechanism to avoid brute-force.it's my code:
> import ssl
> import six
> import json
> from FSSecurity import crypt
> from kafka import KafkaProducer
> context = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
> with open('/etc/huawei/fusionsphere/kafka.kafka/cfg/kafka.kafka.cfg', 'r') as
> fd:
> data = json.load(fd)
> right_password = crypt.decrypt(data['sasl_plain_password'])
> wrong_password = right_password + '1'
> PRODUCER_CONF = {'sasl_mechanism': 'PLAIN', 'security_protocol': 'SASL_SSL',
> 'acks': 1, 'retries': 5, 'sasl_plain_username': 'nvwa', 'bootstrap_servers':
> ['172.28.9.200:9092'], 'ssl_context': context, 'sasl_plain_password':
> wrong_password}
> count = 0
> while True:
> try:
> count += 1
> producer = KafkaProducer(**PRODUCER_CONF)
> break
> except:
> if count == 100:
> PRODUCER_CONF = {'sasl_mechanism': 'PLAIN', 'security_protocol':
> 'SASL_SSL', 'acks': 1, 'retries': 5, 'sasl_plain_username': 'nvwa',
> 'bootstrap_servers': ['172.28.9.200:9092'], 'ssl_context': context,
> 'sasl_plain_password': right_password}
> num = 0
> for i in range(10):
> msgs = 'message_' + str(num)
> num += 1
> producer.send('czy', six.ensure_binary(msgs), partition=0).get()
> print('send message success')
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
