[
https://issues.apache.org/jira/browse/KAFKA-3221?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15137901#comment-15137901
]
Ismael Juma commented on KAFKA-3221:
------------------------------------
You didn't mention ZooKeeper authentication in your analysis. For the default
Authorizer, you'd be expected to use ZK authentication to secure ZK for all
usage (including kafka-acl).
> kafka-acls.sh must verify if a user has sufficient privileges to perform acls
> CRUD
> ----------------------------------------------------------------------------------
>
> Key: KAFKA-3221
> URL: https://issues.apache.org/jira/browse/KAFKA-3221
> Project: Kafka
> Issue Type: Improvement
> Reporter: Ashish K Singh
> Assignee: Ashish K Singh
>
> kafka-acls.sh provides an insecure entry point to Kafka's authorization. No
> checks are performed or no user information is provided to authorizer to
> validate a user, before the user performs CRUD of acls. This is a security
> hole that must be addressed.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
