Purshotam Chauhan created KAFKA-14435: -----------------------------------------
Summary: Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled Key: KAFKA-14435 URL: https://issues.apache.org/jira/browse/KAFKA-14435 Project: Kafka Issue Type: Bug Components: kraft Reporter: Purshotam Chauhan When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow everyone only if there is no ACL present for a particular resource. But if there are ACL present for the resource, then it shouldn't be allowing everyone. StandardAuthorizer is allowing the principals for which no ACLs are defined even when the resource has other ACLs. This behavior can be validated with the following test case: {code:java} @Test public void testAllowEveryoneConfig() throws Exception { StandardAuthorizer authorizer = new StandardAuthorizer(); HashMap<String, Object> configs = new HashMap<>(); configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); authorizer.configure(configs); authorizer.start(new AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); authorizer.completeInitialLoad(); // Allow User:Alice to read topic "foobar" List<StandardAclWithId> acls = asList( withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", WILDCARD, READ, ALLOW)) ); acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); // User:Bob shouldn't be allowed to read topic "foobar" assertEquals(singletonList(DENIED), authorizer.authorize(new MockAuthorizableRequestContext.Builder(). setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), singletonList(newAction(READ, TOPIC, "foobar")))); } {code} In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)