You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "David Arthur (Jira)" <ji...@apache.org> on 2020/09/16 21:06:00 UTC

[jira] [Created] (KAFKA-10491) Check authorizations before other criteria in KafkaApis

David Arthur created KAFKA-10491:
------------------------------------

             Summary: Check authorizations before other criteria in KafkaApis
                 Key: KAFKA-10491
                 URL: https://issues.apache.org/jira/browse/KAFKA-10491
             Project: Kafka
          Issue Type: Improvement
            Reporter: David Arthur


In KafkaApis#handleAlterUserScramCredentialsRequest we check if the current broker is the controller before checking if the request is authorized. This is a potential information leak about details of the system (i.e., who is the controller). We should fix this to check the authz first.

[~hachikuji] pointed this out during the review for AlterIsr since I had followed the pattern in handleAlterUserScramCredentialsRequest. 

We should fix handleAlterUserScramCredentialsRequest and audit the rest of KafkaApis for similar patterns.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)