[
https://issues.apache.org/jira/browse/KAFKA-3797?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Vahid Hashemian reassigned KAFKA-3797:
--------------------------------------
Assignee: Vahid Hashemian
> Improve security of __consumer_offsets topic
> --------------------------------------------
>
> Key: KAFKA-3797
> URL: https://issues.apache.org/jira/browse/KAFKA-3797
> Project: Kafka
> Issue Type: Improvement
> Reporter: Jason Gustafson
> Assignee: Vahid Hashemian
>
> By default, we allow clients to override committed offsets and group metadata
> using the Produce API as long as they have Write access to the
> __consumer_offsets topic. From one perspective, this is fine: administrators
> can restrict access to this topic to trusted users. From another, it seems
> less than ideal for Write permission on that topic to subsume Group-level
> permissions for the full cluster. With this access, a user can cause all
> kinds of mischief including making the group "lose" data by setting offsets
> ahead of the actual position. This is probably not obvious to administrators
> who grant access to topics using a wildcard and it increases the risk from
> incorrectly applying topic patterns (if we ever add support for them). It
> seems reasonable to consider safer default behavior:
> 1. A simple option to fix this would be to prevent wildcard topic rules from
> applying to internal topics. To write to an internal topic, you need a
> separate rule which explicitly grants authorization to that topic.
> 2. A more extreme and perhaps safer option might be to prevent all writes to
> this topic (and potentially other internal topics) through the Produce API.
> Do we have any use cases which actually require writing to
> __consumer_offsets? The only potential case that comes to mind is replication.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
