From 5f331d6b3366bfa8f179f93c72428bdd6dd122df Mon Sep 17 00:00:00 2001 From: Rohan Kunwar Date: Sun, 21 Sep 2025 18:10:58 +0530 Subject: [PATCH 1/3] [ANSIENG-5137] | Fix ZK Chroot creation --- roles/kafka_broker/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/kafka_broker/tasks/main.yml b/roles/kafka_broker/tasks/main.yml index ed7a4137c..fd9316b09 100644 --- a/roles/kafka_broker/tasks/main.yml +++ b/roles/kafka_broker/tasks/main.yml @@ -432,6 +432,7 @@ # Only runs with zookeeper - name: Create Zookeeper chroot shell: > + {% if kafka_broker_final_properties['zookeeper.set.acl']|default('false')|lower == 'true' %}KAFKA_OPTS='-Djava.security.auth.login.config={{kafka_broker.jaas_file}}'{% endif %} \ {{ binary_base_path }}/bin/zookeeper-shell {{ hostvars[groups['zookeeper'][0]] | confluent.platform.resolve_hostname }}:{{zookeeper_client_port}} \ {% if zookeeper_ssl_enabled|bool %}-zk-tls-config-file {{ kafka_broker.zookeeper_tls_client_config_file if kafka_broker_secrets_protection_enabled else kafka_broker.config_file }}{% endif %} \ create {{zookeeper_chroot}} "" From ac76349cc4be6fc3eaecb317b25af26df003eeff Mon Sep 17 00:00:00 2001 From: Rohan Kunwar Date: Sun, 21 Sep 2025 18:44:58 +0530 Subject: [PATCH 2/3] [ANSIENG-5137] | Update tests for ZK Chroot creation --- molecule/zookeeper-digest-rhel/molecule.yml | 5 +++++ molecule/zookeeper-digest-rhel/verify.yml | 25 +++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/molecule/zookeeper-digest-rhel/molecule.yml b/molecule/zookeeper-digest-rhel/molecule.yml index d9f0a3c8a..55b2f320c 100644 --- a/molecule/zookeeper-digest-rhel/molecule.yml +++ b/molecule/zookeeper-digest-rhel/molecule.yml @@ -120,6 +120,11 @@ provisioner: all: scenario_name: zookeeper-digest-rhel + # Enable ansible_become to simulate customer production environment + ansible_become: true + ansible_become_method: sudo + ansible_become_user: root + zookeeper_quorum_authentication_type: digest zookeeper_client_authentication_type: digest sasl_protocol: plain diff --git a/molecule/zookeeper-digest-rhel/verify.yml b/molecule/zookeeper-digest-rhel/verify.yml index beeb322e4..22c6a95dc 100644 --- a/molecule/zookeeper-digest-rhel/verify.yml +++ b/molecule/zookeeper-digest-rhel/verify.yml @@ -37,3 +37,28 @@ file_path: /etc/schema-registry/schema-registry.properties property: kafkastore.security.protocol expected_value: SASL_PLAINTEXT + +- name: Verify - ZooKeeper chroot creation with digest authentication + hosts: kafka_broker + gather_facts: false + tasks: + - name: Import Variables + import_role: + name: variables + + - name: Verify chroot exists in ZooKeeper with authentication + shell: > + {% if kafka_broker_final_properties['zookeeper.set.acl']|default('false')|lower == 'true' %}KAFKA_OPTS='-Djava.security.auth.login.config={{kafka_broker.jaas_file}}'{% endif %} \ + {{ binary_base_path }}/bin/zookeeper-shell {{ hostvars[groups['zookeeper'][0]] | confluent.platform.resolve_hostname }}:{{zookeeper_client_port}} \ + ls / + register: zk_root_listing + run_once: true + changed_when: false + failed_when: false + + - name: Assert chroot creation succeeded + assert: + that: + - zk_root_listing.rc == 0 + - "zookeeper_chroot.lstrip('/') in zk_root_listing.stdout" + fail_msg: ZOOKEEPER CHROOT CREATION FAILED From c389d9aa3079e8a846aa60a58663b10744fc3682 Mon Sep 17 00:00:00 2001 From: Rohan Kunwar Date: Tue, 4 Nov 2025 16:08:52 +0530 Subject: [PATCH 3/3] [ANSIENG-5137] | Fix ZK Chroot creation --- molecule/zookeeper-digest-rhel/molecule.yml | 5 ----- molecule/zookeeper-digest-rhel/verify.yml | 25 --------------------- 2 files changed, 30 deletions(-) diff --git a/molecule/zookeeper-digest-rhel/molecule.yml b/molecule/zookeeper-digest-rhel/molecule.yml index 55b2f320c..d9f0a3c8a 100644 --- a/molecule/zookeeper-digest-rhel/molecule.yml +++ b/molecule/zookeeper-digest-rhel/molecule.yml @@ -120,11 +120,6 @@ provisioner: all: scenario_name: zookeeper-digest-rhel - # Enable ansible_become to simulate customer production environment - ansible_become: true - ansible_become_method: sudo - ansible_become_user: root - zookeeper_quorum_authentication_type: digest zookeeper_client_authentication_type: digest sasl_protocol: plain diff --git a/molecule/zookeeper-digest-rhel/verify.yml b/molecule/zookeeper-digest-rhel/verify.yml index 22c6a95dc..beeb322e4 100644 --- a/molecule/zookeeper-digest-rhel/verify.yml +++ b/molecule/zookeeper-digest-rhel/verify.yml @@ -37,28 +37,3 @@ file_path: /etc/schema-registry/schema-registry.properties property: kafkastore.security.protocol expected_value: SASL_PLAINTEXT - -- name: Verify - ZooKeeper chroot creation with digest authentication - hosts: kafka_broker - gather_facts: false - tasks: - - name: Import Variables - import_role: - name: variables - - - name: Verify chroot exists in ZooKeeper with authentication - shell: > - {% if kafka_broker_final_properties['zookeeper.set.acl']|default('false')|lower == 'true' %}KAFKA_OPTS='-Djava.security.auth.login.config={{kafka_broker.jaas_file}}'{% endif %} \ - {{ binary_base_path }}/bin/zookeeper-shell {{ hostvars[groups['zookeeper'][0]] | confluent.platform.resolve_hostname }}:{{zookeeper_client_port}} \ - ls / - register: zk_root_listing - run_once: true - changed_when: false - failed_when: false - - - name: Assert chroot creation succeeded - assert: - that: - - zk_root_listing.rc == 0 - - "zookeeper_chroot.lstrip('/') in zk_root_listing.stdout" - fail_msg: ZOOKEEPER CHROOT CREATION FAILED