search

adevinta / zoe

The Kafka CLI for humans
https://adevinta.github.io/zoe
MIT License
286 stars 21 forks source link

Topic operations without privileges #20

Closed dariocazas closed 3 years ago

dariocazas commented 3 years ago

Some basic operations available in zoe 0.24.0 gets an auth error in versions 0.25.0 and 0.26.0, like:

Using the following scripts:

# Test zoe 0.24.0
sudo rpm -e zoe
ZOE_VERSION=0.24.0
sudo rpm -i "https://github.com/adevinta/zoe/releases/download/v${ZOE_VERSION}/zoe-${ZOE_VERSION}-1.x86_64.rpm"
zoe topics list

# Test zoe 0.25.0
sudo rpm -e zoe
ZOE_VERSION=0.25.0
sudo rpm -i "https://github.com/adevinta/zoe/releases/download/v${ZOE_VERSION}/zoe-${ZOE_VERSION}-1.x86_64.rpm"
zoe topics list

# Test zoe 0.26.0
sudo rpm -e zoe
ZOE_VERSION=0.26.0
sudo rpm -i "https://github.com/adevinta/zoe/releases/download/v${ZOE_VERSION}/zoe-${ZOE_VERSION}-1.x86_64.rpm"
zoe topics list

With those results:

The error showed is:

failure: runner 'local' failed
cause:
  failure: org.apache.kafka.common.errors.TopicAuthorizationException: Topic authorization failed.
  cause:
      failure: Topic authorization failed.

About config against kafka server:

      client.id: "zoe-client"
      sasl.mechanism: "SCRAM-SHA-512"
      sasl.jaas.config: "org.apache.kafka.common.security.scram.ScramLoginModule required username=\"user1\" password=\"user1pass\";"
      security.protocol: "SASL_SSL"
      ssl.truststore.location: "/home/myuser/.zoe/config/kafka_keystore.jks"
      ssl.truststore.password: "changeit"
      ssl.endpoint.identification.algorithm: "https"
wlezzar commented 3 years ago

Hi @dariocazas. Thanks a lot for raising the issue. It's indeed due to the fact that now the list topics command tries to list the configs as well on each topic. And if the user does have the privileges to list the topics but doesn't have the privileges to describe the configs, it fails the whole request.

I will make a PR tonight or tomorrow to fix the issue :+1:

wlezzar commented 3 years ago

@dariocazas It it possible for you to give the user you are using the right to describe the configs and see if it works just to confirm the issue?

wlezzar commented 3 years ago

@dariocazas the issue is fixed in 0.26.1. You may download this release and try again :+1:

dariocazas commented 3 years ago

@wlezzar thx for you quick reply and patch.

Well, over 0.26.1, when use an user with privileges over certain topics (not for all topics) to run zoe topics lists, log show:

2020-10-10 23:18:17 WARN zoe: unexpected error on config describe request
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TopicAuthorizationException: Topic authorization failed.

But gets OK result (same topic list as 0.24.0 version).

On another side, if I try to describe a topic, gets TopicAuthorizationException and show info without config:

> zoe -e dev topics describe test
[...]
2020-10-10 23:14:05 WARN zoe: unexpected error on config describe request
java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TopicAuthorizationException: Topic authorization failed.
[...]
{"topic":"testTopic","internal":false,"partitions":[0,1],"config":{}}

The user used has DESCRIBE allowed.

> kafka-acls.sh --bootstrap-server $BROKERS --command-config $COMMAND_CONFIG --list --principal User:test_user
[...]
ACLs for principal `User:ofda_training_dev`
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=testTopic, patternType=LITERAL)`: 
    (principal=User:test_user, host=*, operation=READ, permissionType=ALLOW)
    (principal=User:test_user, host=*, operation=DESCRIBE, permissionType=ALLOW)
    (principal=User:test_user, host=*, operation=WRITE, permissionType=ALLOW) 
[...]

Review about describe operation using kafka-topic.sh gets auth error too:

> kafka-topics.sh --bootstrap-server $BROKERS --command-config $COMMAND_CONFIG --describe --topic testTopic
[...]
[2020-10-10 23:43:40,231] ERROR org.apache.kafka.common.errors.ClusterAuthorizationException: Request Request(processor=0, connectionId=XXX, session=Session(User:test_user,XXX), listenerName=ListenerName(SASL_SSL), securityProtocol=SASL_SSL, buffer=null) is not authorized.

As conclusion:

Good job. Thank you