[jira] [Updated] (KAFKA-5246) Remove backdoor that allows any client to produce to internal topics

Andy Coates (JIRA) Mon, 15 May 2017 13:26:00 -0700

     [ 
https://issues.apache.org/jira/browse/KAFKA-5246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Andy Coates updated KAFKA-5246:
-------------------------------
    Status: Patch Available  (was: Open)

>  Remove backdoor that allows any client to produce to internal topics
> ---------------------------------------------------------------------
>
>                 Key: KAFKA-5246
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5246
>             Project: Kafka
>          Issue Type: Bug
>          Components: core
>    Affects Versions: 0.10.2.1, 0.10.2.0, 0.10.1.1, 0.10.1.0, 0.10.0.1, 
> 0.10.0.0
>            Reporter: Andy Coates
>            Assignee: Andy Coates
>            Priority: Minor
>
> kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be 
> unused in the code, with the exception of a single use in KafkaAPis.scala in 
> handleProducerRequest, where is looks to allow any client, using the special 
> ‘__admin_client' client id, to append to internal topics.
> This looks like a security risk to me, as it would allow any client to 
> produce either rouge offsets or even a record containing something other than 
> group/offset info.
> Can we remove this please?



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Updated] (KAFKA-5246) Remove backdoor that allows any client to produce to internal topics

Reply via email to