You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2017/06/08 16:46:18 UTC
[jira] [Commented] (KAFKA-5246) Remove backdoor that allows any
client to produce to internal topics
[ https://issues.apache.org/jira/browse/KAFKA-5246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16043005#comment-16043005 ]
ASF GitHub Bot commented on KAFKA-5246:
---------------------------------------
Github user datalorax closed the pull request at:
https://github.com/apache/kafka/pull/3061
> Remove backdoor that allows any client to produce to internal topics
> ---------------------------------------------------------------------
>
> Key: KAFKA-5246
> URL: https://issues.apache.org/jira/browse/KAFKA-5246
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 0.10.0.0, 0.10.0.1, 0.10.1.0, 0.10.1.1, 0.10.2.0, 0.10.2.1
> Reporter: Andy Coates
> Assignee: Andy Coates
> Priority: Minor
>
> kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be unused in the code, with the exception of a single use in KafkaAPis.scala in handleProducerRequest, where is looks to allow any client, using the special ‘__admin_client' client id, to append to internal topics.
> This looks like a security risk to me, as it would allow any client to produce either rouge offsets or even a record containing something other than group/offset info.
> Can we remove this please?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)