Andy Coates created KAFKA-5246: ---------------------------------- Summary: Remove backdoor that allows any client to produce to internal topics Key: KAFKA-5246 URL: https://issues.apache.org/jira/browse/KAFKA-5246 Project: Kafka Issue Type: Bug Components: core Affects Versions: 0.10.2.1, 0.10.2.0, 0.10.1.1, 0.10.1.0, 0.10.0.1, 0.10.0.0 Reporter: Andy Coates Priority: Minor
kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be unused in the code, with the exception of a single use in KafkaAPis.scala in handleProducerRequest, where is looks to allow any client, using the special ‘__admin_client' client id, to append to internal topics. This looks like a security risk to me, as it would allow any client to produce either rouge offsets or even a record containing something other than group/offset info. Can we remove this please? -- This message was sent by Atlassian JIRA (v6.3.15#6346)