[jira] [Resolved] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled

Mon, 20 Feb 2023 23:31:08 -0800 


     [ 
https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Purshotam Chauhan resolved KAFKA-14435.
---------------------------------------
    Fix Version/s: 3.3.2
                   3.4.0
       Resolution: Fixed

> Kraft: StandardAuthorizer allowing a non-authorized user when 
> `allow.everyone.if.no.acl.found` is enabled
> ---------------------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-14435
>                 URL: https://issues.apache.org/jira/browse/KAFKA-14435
>             Project: Kafka
>          Issue Type: Bug
>          Components: kraft
>    Affects Versions: 3.2.0, 3.3.0, 3.2.1, 3.2.2, 3.2.3, 3.3.1
>            Reporter: Purshotam Chauhan
>            Assignee: Purshotam Chauhan
>            Priority: Critical
>             Fix For: 3.3.2, 3.4.0
>
>
> When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow 
> everyone only if there is no ACL present for a particular resource. But if 
> there are ACL present for the resource, then it shouldn't be allowing 
> everyone.
> StandardAuthorizer is allowing the principals for which no ACLs are defined 
> even when the resource has other ACLs.
>  
> This behavior can be validated with the following test case:
>  
> {code:java}
> @Test
> public void testAllowEveryoneConfig() throws Exception {
>     StandardAuthorizer authorizer = new StandardAuthorizer();
>     HashMap<String, Object> configs = new HashMap<>();
>     configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris");
>     configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true");
>     authorizer.configure(configs);
>     authorizer.start(new 
> AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT)));
>     authorizer.completeInitialLoad();
>     // Allow User:Alice to read topic "foobar"
>     List<StandardAclWithId> acls = asList(
>         withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", 
> WILDCARD, READ, ALLOW))
>     );
>     acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl()));
>     // User:Bob shouldn't be allowed to read topic "foobar"
>     assertEquals(singletonList(DENIED),
>         authorizer.authorize(new MockAuthorizableRequestContext.Builder().
>                 setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(),
>             singletonList(newAction(READ, TOPIC, "foobar"))));
> }
>  {code}
>  
> In the above test, `User:Bob` should be DENIED but the above test case fails.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to