-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KAFKA-3221: Pass requesting user information to authorizer to enable … #895
Conversation
…user authorization before modifying acls.
@ijuma @gwenshap mind taking a look. I have added reasoning behind adding hadoop-core dependency. I am open to suggestion, if that can be avoided somehow. Without changing APIs, which seems not essential for default authorizer, I could not find a better way to pass requesting user's info to authorizer. Suggestions are welcome. |
I don't think the Hadoop behavior is desirable (we probably want "nobody" if a user is not authenticated with Kerberos, not the OS user), and I'm definitely not a fan of this dependency. system.username is definitely not desirable since its an environment variable and completely insecure. |
Agreed with @gwenshap. In terms of the API changes to the Authorizer, do you mean adding a |
@SinghAsDev I am not sure I follow the intent of the PR. Ideally we should move all these authorizer, create topic etc.. as broker requests(KIP-4) than we can add authorizer functionality for these admin requests. |
+1 on moving all authorizer apis to broker side. |
I agree with these requests going through the broker. There are quite a few requests that need to be added as part of KIP-4. I am working on the topic ones now (as those have been agreed to already) and then plan to open a discussion about the other needed protocol messages including authorizer and version (also KIP-35) messages. All of these request/scripts would then use the AdminClient. Once the first few get reviewed. I should be able to add these fairly quickly. I have an update pull request for the CreateTopic implementation at #626, and will post a one for DeleteTopic shortly. |
Let me try to summarize all the discussion here and on JIRA so far, so that we don't have to go back and forth. We all agree that there is a problem in the way we allow users to perform CRUD on acls and that problem is the user does not get authenticated. This opens up a security hole in current authorization support of Kafka. Default authorizer, SimpleAclAuthorizer, relies on ZK authentication to address this. However, there is no information provided to custom authorizers (via current APIs) to be able to determine if a particular request from a user should be allowed or not. To fix this we need to add user authentication, possible options are.
Let's talk about each of these approaches in detail.
Whatever path we decide to take, we should come up with some solution for custom authorizers for 0.9. This issue makes custom authorizers not so useful. Please correct me if any of my aforementioned understanding is flawed. @gwenshap you are correct if the user is not authenticated, there is no point in passing his/her info. |
"This opens up a security hole in current authorization support of Kafka" "User info still needs to be obtained and passed to broker. Yes, using a common admin client that takes care of this will help." "Let broker to the authentication." "Honestly, I do not see a reason for expecting that authorizer should trust kafka for deciding if it should let a user to perform CRUD on privileges, etc. One might say, we should restrict these operations to kafka's admin user only, which will take care of the issue of authorizing users via authorizer before allowing/denying their request of CRUD ops. For that just imagine you have to go to your admin every time you have to perform chmod/chown on topics you have created, even to see perms as part of your ls command."
The proposal we are making instead of the proposed changes in this PR is lets use the client/broker authentication which we already have to establish a session and authorize that session like we are doing for writes and reads from clients already. "kafka-acls.sh gets and passes user info directly to authorizer. This does not require waiting on KIP-4, however this is probably not a long term solution. " Ideally all the requests and authorization should happen in kafka broker. We shouldn't be adding another authentication layer to authorizer and have another session. |
@harshach by security hole I mean, there is no way custom authorizers can restrict acls CRUD to authorized users, while allowing users to use kafka-acls.sh. I had an offline chat with @granthenke and we might be able to get KIP-4 pieces in soon. I will punt on addressing the issue after KIP-4. Thanks for feedbacks. |
…user authorization before modifying acls.