You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Purshotam Chauhan (Jira)" <ji...@apache.org> on 2022/12/02 13:14:00 UTC

[jira] [Created] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled

Purshotam Chauhan created KAFKA-14435:
-----------------------------------------

             Summary: Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
                 Key: KAFKA-14435
                 URL: https://issues.apache.org/jira/browse/KAFKA-14435
             Project: Kafka
          Issue Type: Bug
          Components: kraft
            Reporter: Purshotam Chauhan


When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow everyone only if there is no ACL present for a particular resource. But if there are ACL present for the resource, then it shouldn't be allowing everyone.

StandardAuthorizer is allowing the principals for which no ACLs are defined even when the resource has other ACLs.

 

This behavior can be validated with the following test case:

 
{code:java}
@Test
public void testAllowEveryoneConfig() throws Exception {
    StandardAuthorizer authorizer = new StandardAuthorizer();
    HashMap<String, Object> configs = new HashMap<>();
    configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris");
    configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true");
    authorizer.configure(configs);
    authorizer.start(new AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT)));
    authorizer.completeInitialLoad();


    // Allow User:Alice to read topic "foobar"
    List<StandardAclWithId> acls = asList(
        withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", WILDCARD, READ, ALLOW))
    );
    acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl()));

    // User:Bob shouldn't be allowed to read topic "foobar"
    assertEquals(singletonList(DENIED),
        authorizer.authorize(new MockAuthorizableRequestContext.Builder().
                setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(),
            singletonList(newAction(READ, TOPIC, "foobar"))));

}
 {code}
 

In the above test, `User:Bob` should be DENIED but the above test case fails.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)