[ https://issues.apache.org/jira/browse/KAFKA-2579?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14907308#comment-14907308 ]
ASF GitHub Bot commented on KAFKA-2579: --------------------------------------- GitHub user hachikuji opened a pull request: https://github.com/apache/kafka/pull/240 KAFKA-2579; prevent unauthorized clients from joining groups You can merge this pull request into a Git repository by running: $ git pull https://github.com/hachikuji/kafka KAFKA-2579 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/240.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #240 ---- commit c2700d06c0e73a0259c254bd1b776c271c86c79e Author: Jason Gustafson <ja...@confluent.io> Date: 2015-09-25T00:33:26Z KAFKA-2579; prevent unauthorized clients from joining groups ---- > Unauthorized clients should not be able to join groups > ------------------------------------------------------- > > Key: KAFKA-2579 > URL: https://issues.apache.org/jira/browse/KAFKA-2579 > Project: Kafka > Issue Type: Sub-task > Components: security > Affects Versions: 0.9.0.0 > Reporter: Jason Gustafson > Assignee: Jason Gustafson > > The JoinGroup authorization is only checked in the response callback which is > invoked after the request has been forwarded to the ConsumerCoordinator and > the client has joined the group. This allows unauthorized members to impact > the rest of the group since the coordinator will assign partitions to them. > It would be better to check permission and return immediately if the client > is unauthorized. -- This message was sent by Atlassian JIRA (v6.3.4#6332)