[
https://issues.apache.org/jira/browse/KAFKA-5246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16010948#comment-16010948
]
Andy Coates commented on KAFKA-5246:
------------------------------------
I've got a patch waiting for this is someone can assign this Jira to me and
give me what ever permissions are needed to allow me to raise a PR in Github.
Thanks,
Andy
> Remove backdoor that allows any client to produce to internal topics
> ---------------------------------------------------------------------
>
> Key: KAFKA-5246
> URL: https://issues.apache.org/jira/browse/KAFKA-5246
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 0.10.0.0, 0.10.0.1, 0.10.1.0, 0.10.1.1, 0.10.2.0,
> 0.10.2.1
> Reporter: Andy Coates
> Priority: Minor
>
> kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be
> unused in the code, with the exception of a single use in KafkaAPis.scala in
> handleProducerRequest, where is looks to allow any client, using the special
> ‘__admin_client' client id, to append to internal topics.
> This looks like a security risk to me, as it would allow any client to
> produce either rouge offsets or even a record containing something other than
> group/offset info.
> Can we remove this please?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
