Purshotam Chauhan created KAFKA-14435:
-----------------------------------------
Summary: Kraft: StandardAuthorizer allowing a non-authorized user
when `allow.everyone.if.no.acl.found` is enabled
Key: KAFKA-14435
URL: https://issues.apache.org/jira/browse/KAFKA-14435
Project: Kafka
Issue Type: Bug
Components: kraft
Reporter: Purshotam Chauhan
When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow
everyone only if there is no ACL present for a particular resource. But if
there are ACL present for the resource, then it shouldn't be allowing everyone.
StandardAuthorizer is allowing the principals for which no ACLs are defined
even when the resource has other ACLs.
This behavior can be validated with the following test case:
{code:java}
@Test
public void testAllowEveryoneConfig() throws Exception {
StandardAuthorizer authorizer = new StandardAuthorizer();
HashMap<String, Object> configs = new HashMap<>();
configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris");
configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true");
authorizer.configure(configs);
authorizer.start(new
AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT)));
authorizer.completeInitialLoad();
// Allow User:Alice to read topic "foobar"
List<StandardAclWithId> acls = asList(
withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice",
WILDCARD, READ, ALLOW))
);
acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl()));
// User:Bob shouldn't be allowed to read topic "foobar"
assertEquals(singletonList(DENIED),
authorizer.authorize(new MockAuthorizableRequestContext.Builder().
setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(),
singletonList(newAction(READ, TOPIC, "foobar"))));
}
{code}
In the above test, `User:Bob` should be DENIED but the above test case fails.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
