[
https://issues.apache.org/jira/browse/KAFKA-18627?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Chia-Ping Tsai updated KAFKA-18627:
-----------------------------------
Description:
Currently, we allow all login modules except for those explicitly listed in
`{{{}org.apache.kafka.disallowed.login.modules`{}}}. This approach presents a
security risk: new and potentially insecure login modules may emerge over time.
To mitigate this, we should consider adding
{{org.apache.kafka.allowed.login.modules}} to explicitly list all built-in
login modules and reject any other modules not included in this list.
(optional) we can deprecate `org.apache.kafka.disallowed.login.modules` and
print warning message when users explicitly define it.
was:we should consider adding org.apache.kafka.allowed.login.modules to
include all built-in login modules. (optional) we can deprecate
`org.apache.kafka.disallowed.login.modules` and print warning message when
users explicitly define it.
> add allowed modules to JaasUtils
> --------------------------------
>
> Key: KAFKA-18627
> URL: https://issues.apache.org/jira/browse/KAFKA-18627
> Project: Kafka
> Issue Type: Improvement
> Reporter: Chia-Ping Tsai
> Assignee: Chia-Ping Tsai
> Priority: Major
> Fix For: 4.0.0
>
>
> Currently, we allow all login modules except for those explicitly listed in
> `{{{}org.apache.kafka.disallowed.login.modules`{}}}. This approach presents a
> security risk: new and potentially insecure login modules may emerge over
> time. To mitigate this, we should consider adding
> {{org.apache.kafka.allowed.login.modules}} to explicitly list all built-in
> login modules and reject any other modules not included in this list.
> (optional) we can deprecate `org.apache.kafka.disallowed.login.modules` and
> print warning message when users explicitly define it.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
