Status

Current state: Accepted

Discussion thread: here

JIRA: here 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Currently, the built in file and directory configuration providers used have unrestricted access to files specified by the caller. In security-sensitive environments, the ability to limit the files accessible to these providers when used with Kafka Connect would be beneficial. For example:

config.providers=directory

config.providers.directory.class=org.apache.kafka.connect.configs.DirectoryConfigProvider

config.providers.directory.param.allowed.paths=/var/run,var/configs

If a caller tries to access another path, for example:

ssl.keystore.password=${directory:/etc/passwd:keystore-password}

it will return an error that prompts the user to specify the correct paths.

Public Interfaces

The implementations, DirectoryConfigProvider and FileConfigProvider of the interface org.apache.kafka.common.config.provider.ConfigProvider, will be updated to introduce a configuration that limits the provider’s access exclusively to the designated file or directory path. 

Affected components:

  • org/apache/kafka/common


Name: allowed.paths
Type: List
Documentation: Comma separated designated paths that this configuration provider has permission to access files from. If not set, all paths are allowed.
Default: empty

Proposed Changes

Classes DirectoryConfigProvider and FileConfigProvider that implements the ConfigProvider interface will be updated. In the configure() method of the classes, the newly added configuration will be retrieved. Their get() method will then verify whether the file it is attempting to access resides within the designated paths and recursive access to directories will be allowed. If the file is not within any of the designated paths, an empty string will be returned for the value. This behaviour is consistent with how EnvVarConfigProvider handles when user attempts to access environment variables that are not allowed. When using FileConfigProvider, users can also specify files in the allowed.paths to limit access to specific files so that other files in the same directory are not accessible.

In cases where no path is specified, the configuration providers will retain their previous unrestricted access to any file.

This feature will not be useful when using a ConfigProvider in server.properties or in Kafka clients because providers are set in runtime only when used with Kafka Connect. 

Compatibility, Deprecation, and Migration Plan

There are no compatibility concerns since this update introduces a new configuration. In the absence of this configuration, the behaviour remains unchanged, allowing the configuration providers to access any files, ensuring seamless compatibility.

Test Plan

New unit tests and integration testing with a client (producer/consumer) will be added. 

Rejected Alternatives

None.

  • No labels