[DPE-5208] - fix: secure written znodes

[marcoppenheimer]

Changes Made

fix: set ACLs on written zNodes

• Fixes https://github.com/canonical/kafka-operator/issues/230
• ZooKeeper ACLs are not recursive, meaning that any written data to a zNode nested under the chroot, will be readable by all
• Settingzookeeper.set.acl=true ensures that there are protections on the zNodes written by Kafka

[marcoppenheimer]

LGTM! Should we just have an integration tests or that would be too much of an hassle?

I think our current int tests basically cover the case of 'does Kafka work with this setting?'. If we look at the ACLs Kafka sets, it's pretty clever. By default, a zNode written by Kafka will have rwcda for the SASL Kafka user, and r for world (aka everyone).

BUT, for zNodes that Kafka thinks are 'secure', it will remove the world read permission.

After a quick check, it appears that it would be:

/kafka/config/brokers
/kafka/config/users/*

There may be others, but I grabbed that from a default ZK + Kafka deploy.