This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.
Status
Current state: "Draft"
Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]
JIRA: here [Change the link from KAFKA-1 to your own ticket]
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Currently, the built in file and directory configuration providers have unrestricted access to files specified by the caller. In security-sensitive environments, the ability to limit the files accessible to these providers would be beneficial. For example:
config.providers=directory
config.providers.directory.class=org.apache.kafka.connect.configs.DirectoryConfigProvider
config.providers.directory.param.allowed.paths=/var/run
If a caller tries to access another path, for example:
ssl.keystore.password=${directory:/etc/passwd:keystore-password}
it will return an error that prompts the user to specify the correct paths.
Public Interfaces
The implementations, DirectoryConfigProvider and FileConfigProvider of the interface org.apache.kafka.common.config.provider.ConfigProvider, will be updated to introduce a configuration that limits the provider’s access exclusively to the designated file or directory path.
Affected components:
- org/apache/kafka/common
Name: allowed.paths
Type: String
Documentation: Comma separated designated paths that this configuration provider has permission to access files from. If not set, all paths are allowed.
Default: empty
Proposed Changes
Classes DirectoryConfigProvider and FileConfigProvider that implements the ConfigProvider interface will be updated. In the `configure()` method of the classes, the newly added configuration will be retrieved. Their get() method will then verify whether the file it is attempting to access resides within the designated path. If the file is not within the designated path, ConfigException will be raised. In cases where no path is specified, the configuration providers will retain their previous unrestricted access to any file.
Compatibility, Deprecation, and Migration Plan
There are no compatibility concerns since this update introduces a new configuration. In the absence of this configuration, the behavior remains unchanged, allowing the configuration providers to access any files, ensuring seamless compatibility.
Test Plan
New unit tests and integration testing with a client (producer/consumer) will be added.
Rejected Alternatives
None.