[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642497#comment-17642497 ]
Purshotam Chauhan edited comment on KAFKA-14435 at 12/2/22 2:12 PM: -------------------------------------------------------------------- This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the `if` block [here|https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523]. was (Author: JIRAUSER298490): This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the `if` clause [here|https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523]. > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > --------------------------------------------------------------------------------------------------------- > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft > Reporter: Purshotam Chauhan > Priority: Critical > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap<String, Object> configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List<StandardAclWithId> acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar")))); > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)