[jira] [Created] (KAFKA-5246) Remove backdoor that allows any client to produce to internal topics

Andy Coates (JIRA) Mon, 15 May 2017 10:28:30 -0700

Andy Coates created KAFKA-5246:
----------------------------------

             Summary:  Remove backdoor that allows any client to produce to 
internal topics
                 Key: KAFKA-5246
                 URL: https://issues.apache.org/jira/browse/KAFKA-5246
             Project: Kafka
          Issue Type: Bug
          Components: core
    Affects Versions: 0.10.2.1, 0.10.2.0, 0.10.1.1, 0.10.1.0, 0.10.0.1, 0.10.0.0
            Reporter: Andy Coates
            Priority: Minor



kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be unused 
in the code, with the exception of a single use in KafkaAPis.scala in 
handleProducerRequest, where is looks to allow any client, using the special 
‘__admin_client' client id, to append to internal topics.

This looks like a security risk to me, as it would allow any client to produce 
either rouge offsets or even a record containing something other than 
group/offset info.

Can we remove this please?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (KAFKA-5246) Remove backdoor that allows any client to produce to internal topics

Reply via email to