[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7
[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17038465#comment-17038465 ] ASF GitHub Bot commented on KAFKA-9515: --- ijuma commented on pull request #8125: KAFKA-9515: Upgrade ZooKeeper to 3.5.7 URL: https://github.com/apache/kafka/pull/8125 This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Upgrade ZooKeeper to 3.5.7 > -- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement >Reporter: Ismael Juma >Assignee: Ismael Juma >Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted: > [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7
[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17037599#comment-17037599 ] ASF GitHub Bot commented on KAFKA-9515: --- ijuma commented on pull request #8125: KAFKA-9515: Upgrade ZooKeeper to 3.5.7 URL: https://github.com/apache/kafka/pull/8125 A couple of critical fixes: ZOOKEEPER-3644: Data loss after upgrading standalone ZK server 3.4.14 to 3.5.6 with snapshot.trust.empty=true ZOOKEEPER-3701: Split brain on log disk full (3.5) Full release notes: https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12310801=12346098 ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Upgrade ZooKeeper to 3.5.7 > -- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement >Reporter: Ismael Juma >Assignee: Ismael Juma >Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted: > [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7
[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034526#comment-17034526 ] Ismael Juma commented on KAFKA-9515: Can we get the doc changes ready please? > Upgrade ZooKeeper to 3.5.7 > -- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement >Reporter: Ismael Juma >Assignee: Ismael Juma >Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted: > [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7
[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17034514#comment-17034514 ] Ron Dagostino commented on KAFKA-9515: -- [~ijuma] I have learned something since [~rsivaram] and I discussed this in the above-referenced PR. Specifically, if someone tries to run the ZK Security Migrator tool with no SASL creds but with a client cert, while at the same time ZooKeeper 3.5.7 specifies ssl.clientAuth=none, then the migrator tool fails and ACls are not applied. This is the stack trace I see: org.apache.zookeeper.KeeperException$InvalidACLException: KeeperErrorCode = InvalidACL for /admin at org.apache.zookeeper.KeeperException.create(KeeperException.java:128) at org.apache.zookeeper.KeeperException.create(KeeperException.java:54) at kafka.zookeeper.AsyncResponse.maybeThrow(ZooKeeperClient.scala:564) at kafka.zk.KafkaZkClient.createRecursive(KafkaZkClient.scala:1644) at kafka.zk.KafkaZkClient.makeSurePersistentPathExists(KafkaZkClient.scala:1566) at kafka.admin.ZkSecurityMigrator.$anonfun$run$4(ZkSecurityMigrator.scala:270) at kafka.admin.ZkSecurityMigrator.$anonfun$run$4$adapted(ZkSecurityMigrator.scala:265) at scala.collection.immutable.List.foreach(List.scala:392) at kafka.admin.ZkSecurityMigrator.kafka$admin$ZkSecurityMigrator$$run(ZkSecurityMigrator.scala:265) at kafka.admin.ZkSecurityMigrator$.run(ZkSecurityMigrator.scala:110) at kafka.admin.ZkSecurityMigrator$.main(ZkSecurityMigrator.scala:115) at kafka.admin.ZkSecurityMigrator.main(ZkSecurityMigrator.scala) So we don't have to worry about the case of someone thinking they applied ACLs when in fact they have not -- they can never be confused about that due to the above error being raised, so if ssl.clientAuth=none on the ZooKeeper side they must have set SASL credentials for it to succeed, and the SASL user will be ACL'ed in ZooKeeper. The other case to think about is after ACLs have been applied successfully and Kafka connects with zookeeper.set.acl=true. The possibilities here are they set a SASL credential with or without a client cert or they don't set a SASL credential with a client cert. If they set a SASL credential then all is good -- the SASL user has ben ACl'ed and it works fine. If they don't set a SASL credential then they are connecting with the client cert, and of course that won't be ACL'ed (and if ssl.clientAuth=none in ZooKeeper then they are connecting unauthenticated anyway) -- and Kafka will fail to start. I think that is fine because the thing we had to worry about is a potential breach of security: someone thinking they were setting up ZooKeeper with secure ACls but they actually ended up creating ACls for World read/write access. As we can see from the above, this is actually impossible. So assuming I haven't missed anything or made a mistake, I think the only thing we would need to do is some doc changes to let people know about ssl.clientAuth=[want|need|none] being operational. > Upgrade ZooKeeper to 3.5.7 > -- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement >Reporter: Ismael Juma >Assignee: Ismael Juma >Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted: > [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7
[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17033759#comment-17033759 ] Ron Dagostino commented on KAFKA-9515: -- We should probably also expand the system tests to include the case where ZK TLS is enabled but clientAuth=none. > Upgrade ZooKeeper to 3.5.7 > -- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement >Reporter: Ismael Juma >Assignee: Ismael Juma >Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted: > [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7
[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17033753#comment-17033753 ] Ismael Juma commented on KAFKA-9515: [~rndgstn] I actually think 2.5 should ship with ZK 3.5.7. Does that mean we have to do extra work? > Upgrade ZooKeeper to 3.5.7 > -- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement >Reporter: Ismael Juma >Assignee: Ismael Juma >Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted: > [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7
[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17033729#comment-17033729 ] Ron Dagostino commented on KAFKA-9515: -- ZooKeeper 3.5.7 also adds support for the "ssl.clientAuth=[want|need|none]" configuration on the ZooKeeper server side. This means with v3.5.7 client certificates become optional (they are required in 3.5.6, which is what shipped with AK 2.4 and what will ship with AK 2.5). As per [this GitHub PR conversation for KIP 515|https://github.com/apache/kafka/pull/8003#discussion_r376476887] (text adjusted abit now that we have more info): "We need to decide in 3 places (KafkaServer, ConfigCommand, and ZkSecurityMigrator) whether or not the ZooKeeper client should generate ACls in ZooKeeper when creating znodes. Prior to the possibility of x509 authentication it was easy to decide: was SASL enabled to ZooKeeper or not. Now it is supported for SASL to not be enabled but x509 auth to be enabled -- and in that case we want to generate ACLs. So in the 3 cases we have to look for this possibility. I agree it is entirely possible that ZooKeeper might not authenticate the client -- technically in ZK 3.5.6 it is not possible to turn that off, but it will be possible in ZK 3.5.7 and beyond. So while with ZooKeeper 3.5.6 it isn't an issue, at some point in the future it will be. It is possible that ZK might ignore the client certificate, we might generate ACLs, and those ACLs might grant access to World. One idea to avoid this is to make the connection with ACls enabled, create a random temporary znode, read the ACls, and check if it is world-enabled; then abort at that point if it is. It would probably be a good idea to add this when we upgrade to ZooKeeper 3.5.7." > Upgrade ZooKeeper to 3.5.7 > -- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement >Reporter: Ismael Juma >Assignee: Ismael Juma >Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted: > [https://mail-archives.apache.org/mod_mbox/zookeeper-dev/202002.mbox/%3cCAGH6_KiULzemT-V4x_2ybWeKLMvQ+eh=q-dzsiz8a-ypp5t...@mail.gmail.com%3e] -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KAFKA-9515) Upgrade ZooKeeper to 3.5.7
[ https://issues.apache.org/jira/browse/KAFKA-9515?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17031749#comment-17031749 ] Ismael Juma commented on KAFKA-9515: cc [~bbejeck] [~mumrah] > Upgrade ZooKeeper to 3.5.7 > -- > > Key: KAFKA-9515 > URL: https://issues.apache.org/jira/browse/KAFKA-9515 > Project: Kafka > Issue Type: Improvement >Reporter: Ismael Juma >Priority: Blocker > Fix For: 2.5.0, 2.4.1 > > > There are some critical fixes in ZK 3.5.7 and the first RC has been posted. -- This message was sent by Atlassian Jira (v8.3.4#803005)
