You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Andy Coates (JIRA)" <ji...@apache.org> on 2017/06/08 16:48:18 UTC
[jira] [Updated] (KAFKA-5246) Remove backdoor that allows any
client to produce to internal topics
[ https://issues.apache.org/jira/browse/KAFKA-5246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andy Coates updated KAFKA-5246:
-------------------------------
Resolution: Won't Fix
Status: Resolved (was: Patch Available)
Discussions on PR mean we're closing this without fixing. Work around is to use ACLs to lock down the __consumer_offset topic to only allow required use-cases direct access to produce to it.
> Remove backdoor that allows any client to produce to internal topics
> ---------------------------------------------------------------------
>
> Key: KAFKA-5246
> URL: https://issues.apache.org/jira/browse/KAFKA-5246
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 0.10.0.0, 0.10.0.1, 0.10.1.0, 0.10.1.1, 0.10.2.0, 0.10.2.1
> Reporter: Andy Coates
> Assignee: Andy Coates
> Priority: Minor
>
> kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be unused in the code, with the exception of a single use in KafkaAPis.scala in handleProducerRequest, where is looks to allow any client, using the special ‘__admin_client' client id, to append to internal topics.
> This looks like a security risk to me, as it would allow any client to produce either rouge offsets or even a record containing something other than group/offset info.
> Can we remove this please?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)