[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Purshotam Chauhan resolved KAFKA-14435. --------------------------------------- Fix Version/s: 3.3.2 3.4.0 Resolution: Fixed > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > --------------------------------------------------------------------------------------------------------- > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft > Affects Versions: 3.2.0, 3.3.0, 3.2.1, 3.2.2, 3.2.3, 3.3.1 > Reporter: Purshotam Chauhan > Assignee: Purshotam Chauhan > Priority: Critical > Fix For: 3.3.2, 3.4.0 > > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap<String, Object> configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List<StandardAclWithId> acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar")))); > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)