KAFKA-12866: Avoid root access to Zookeeper

[soarez]

https://issues.apache.org/jira/browse/KAFKA-12866

The broker shouldn't assume create access to the chroot. There are
deployement scenarios where the chroot is already created is the only
znode which the broker can access.

To test this, we can use a ZK integration test, and configure zookeeper in the same way the issue is reproduced.

1. Create the chroot
2. Set free access to the chroot
3. Lock down access to the root znode
4. Try to connect the KafkaZkClient

It should be a separate ZooKeeperTestHarness to avoid leaving the ACL changes made to ZK root visible to other tests.

Rejected alternatives

• Expect NoAuth in KafkaZkClient.createRecursive and assume NoAuth as success.
• Create new configuration to set createChrootIfNecessary = false instead of the current non configurable default value of true.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[soarez]

@omkreddy can you have a look at this one?

[omkreddy]

@soarez Thanks for the PR. LGTM

[omkreddy]

cc @rondagostino

[rondagostino]

Good catch @soarez, and thanks for the PR! Test failed without the fix and passed with it. Thanks again.