redpanda icon indicating copy to clipboard operation
redpanda copied to clipboard
verified publisher icon redpanda-data

Redpanda permits user names that fail SCRAM regex check

Open michael-redpanda opened this issue 2 years ago • 1 comments

Version & Environment

Redpanda version: tip of dev

What went wrong?

Redpanda rejects SCRAM messages that contain usernames made up of non-ASCII characters.

What should have happened instead?

Redpanda should either:

  1. Accept non-ASCII character use names during SCRAM authentication, or
  2. Not permit non-ASCII characters in usernames when user are created.

How to reproduce the issue?

rpk acl user create Böqüárd -p mike1234
rpk topic create -p 1 -r 1 test-cool-names
rpk acl create --allow-principal 'User:Böqüárd' --operation all --topic test-cool-names
rpk cluster config set enable_sasl true
rpk topic describe test-cool-names --user 'User:Böqüárd' --password mike1234 --sasl-mechanism SCRAM-SHA-256

Observing the log, you will see: Error processing request: security::scram_exception (scram_algorithm.cc:201 - Invalid SCRAM client first message: n,,n=User:Böqüárd,r=q2LZsEiSHhDWJVirP93KQncEPJA)

This is due to the SCRAM regex check only permitting ASCII characters (with the exception of '=' and ',')

Additional information

Redpanda's SCRAM authentication regex matches Kafka's however it isn't in compliance with RFC-5802.

Redpanda should either:

  1. Expand the regex to be permit non-ASCII characters
  2. Reference this regex when usernames are created to validate that the username is valid

JIRA Link: CORE-1221

michael-redpanda avatar Mar 20 '23 14:03 michael-redpanda

This issue hasn't seen activity in 3 months. If you want to keep it open, post a comment or remove the stale label – otherwise this will be closed in two weeks.

github-actions[bot] avatar Aug 20 '24 06:08 github-actions[bot]

This issue was closed due to lack of activity. Feel free to reopen if it's still relevant.

github-actions[bot] avatar Sep 03 '24 06:09 github-actions[bot]