You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Andy Coates (JIRA)" <ji...@apache.org> on 2017/05/15 18:52:04 UTC

[jira] [Assigned] (KAFKA-5246) Remove backdoor that allows any client to produce to internal topics

     [ https://issues.apache.org/jira/browse/KAFKA-5246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy Coates reassigned KAFKA-5246:
----------------------------------

    Assignee: Andy Coates

>  Remove backdoor that allows any client to produce to internal topics
> ---------------------------------------------------------------------
>
>                 Key: KAFKA-5246
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5246
>             Project: Kafka
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 0.10.0.0, 0.10.0.1, 0.10.1.0, 0.10.1.1, 0.10.2.0, 0.10.2.1
>            Reporter: Andy Coates
>            Assignee: Andy Coates
>            Priority: Minor
>
> kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be unused in the code, with the exception of a single use in KafkaAPis.scala in handleProducerRequest, where is looks to allow any client, using the special ‘__admin_client' client id, to append to internal topics.
> This looks like a security risk to me, as it would allow any client to produce either rouge offsets or even a record containing something other than group/offset info.
> Can we remove this please?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)