[jira] [Comment Edited] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[
https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642497#comment-17642497
]
Purshotam Chauhan edited comment on KAFKA-14435 at 12/2/22 2:12 PM:
This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder`
class. We can set this flag inside the `if` block
[here|https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523].
was (Author: JIRAUSER298490):
This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder`
class. We can set this flag inside the `if` clause
[here|https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523].
> Kraft: StandardAuthorizer allowing a non-authorized user when
> `allow.everyone.if.no.acl.found` is enabled
> -
>
> Key: KAFKA-14435
> URL: https://issues.apache.org/jira/browse/KAFKA-14435
> Project: Kafka
> Issue Type: Bug
> Components: kraft
>Reporter: Purshotam Chauhan
>Priority: Critical
>
> When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow
> everyone only if there is no ACL present for a particular resource. But if
> there are ACL present for the resource, then it shouldn't be allowing
> everyone.
> StandardAuthorizer is allowing the principals for which no ACLs are defined
> even when the resource has other ACLs.
>
> This behavior can be validated with the following test case:
>
> {code:java}
> @Test
> public void testAllowEveryoneConfig() throws Exception {
> StandardAuthorizer authorizer = new StandardAuthorizer();
> HashMap configs = new HashMap<>();
> configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris");
> configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true");
> authorizer.configure(configs);
> authorizer.start(new
> AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT)));
> authorizer.completeInitialLoad();
> // Allow User:Alice to read topic "foobar"
> List acls = asList(
> withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice",
> WILDCARD, READ, ALLOW))
> );
> acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl()));
> // User:Bob shouldn't be allowed to read topic "foobar"
> assertEquals(singletonList(DENIED),
> authorizer.authorize(new MockAuthorizableRequestContext.Builder().
> setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(),
> singletonList(newAction(READ, TOPIC, "foobar";
> }
> {code}
>
> In the above test, `User:Bob` should be DENIED but the above test case fails.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Comment Edited] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[
https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642497#comment-17642497
]
Purshotam Chauhan edited comment on KAFKA-14435 at 12/2/22 1:21 PM:
This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder`
class. We can set this flag inside the `if` clause
[here|https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523].
was (Author: JIRAUSER298490):
This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder`
class. We can set this flag inside the `if` clause [here.|#L523].]
> Kraft: StandardAuthorizer allowing a non-authorized user when
> `allow.everyone.if.no.acl.found` is enabled
> -
>
> Key: KAFKA-14435
> URL: https://issues.apache.org/jira/browse/KAFKA-14435
> Project: Kafka
> Issue Type: Bug
> Components: kraft
>Reporter: Purshotam Chauhan
>Priority: Critical
>
> When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow
> everyone only if there is no ACL present for a particular resource. But if
> there are ACL present for the resource, then it shouldn't be allowing
> everyone.
> StandardAuthorizer is allowing the principals for which no ACLs are defined
> even when the resource has other ACLs.
>
> This behavior can be validated with the following test case:
>
> {code:java}
> @Test
> public void testAllowEveryoneConfig() throws Exception {
> StandardAuthorizer authorizer = new StandardAuthorizer();
> HashMap configs = new HashMap<>();
> configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris");
> configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true");
> authorizer.configure(configs);
> authorizer.start(new
> AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT)));
> authorizer.completeInitialLoad();
> // Allow User:Alice to read topic "foobar"
> List acls = asList(
> withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice",
> WILDCARD, READ, ALLOW))
> );
> acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl()));
> // User:Bob shouldn't be allowed to read topic "foobar"
> assertEquals(singletonList(DENIED),
> authorizer.authorize(new MockAuthorizableRequestContext.Builder().
> setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(),
> singletonList(newAction(READ, TOPIC, "foobar";
> }
> {code}
>
> In the above test, `User:Bob` should be DENIED but the above test case fails.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Comment Edited] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[
https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642497#comment-17642497
]
Purshotam Chauhan edited comment on KAFKA-14435 at 12/2/22 1:20 PM:
This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder`
class. We can set this flag inside the `if` clause [here.|#L523].]
was (Author: JIRAUSER298490):
This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder`
class. We can set this flag inside the if clause
[here|[https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523].]
> Kraft: StandardAuthorizer allowing a non-authorized user when
> `allow.everyone.if.no.acl.found` is enabled
> -
>
> Key: KAFKA-14435
> URL: https://issues.apache.org/jira/browse/KAFKA-14435
> Project: Kafka
> Issue Type: Bug
> Components: kraft
>Reporter: Purshotam Chauhan
>Priority: Critical
>
> When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow
> everyone only if there is no ACL present for a particular resource. But if
> there are ACL present for the resource, then it shouldn't be allowing
> everyone.
> StandardAuthorizer is allowing the principals for which no ACLs are defined
> even when the resource has other ACLs.
>
> This behavior can be validated with the following test case:
>
> {code:java}
> @Test
> public void testAllowEveryoneConfig() throws Exception {
> StandardAuthorizer authorizer = new StandardAuthorizer();
> HashMap configs = new HashMap<>();
> configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris");
> configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true");
> authorizer.configure(configs);
> authorizer.start(new
> AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT)));
> authorizer.completeInitialLoad();
> // Allow User:Alice to read topic "foobar"
> List acls = asList(
> withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice",
> WILDCARD, READ, ALLOW))
> );
> acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl()));
> // User:Bob shouldn't be allowed to read topic "foobar"
> assertEquals(singletonList(DENIED),
> authorizer.authorize(new MockAuthorizableRequestContext.Builder().
> setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(),
> singletonList(newAction(READ, TOPIC, "foobar";
> }
> {code}
>
> In the above test, `User:Bob` should be DENIED but the above test case fails.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
