rajinisivaram opened a new pull request, #19488:
URL: https://github.com/apache/kafka/pull/19488

   [KAFKA-18813](https://issues.apache.org/jira/browse/KAFKA-18813) added 
`Topic:Describe` authorization of topics matching regex patterns to the group 
coordinator since it was difficult to authorize these in the broker when 
processing consumer heartbeats using the new protocol. But group coordinator is 
started in `BrokerServer` before the authorizer is created. And hence group 
coordinator doesn't have an authorizer and never performs authorization. As a 
result, topics that are not authorized for `Describe` may be assigned to 
consumers. This potentially leaks information about topic existence, topic id 
and partition count to users who are not authorized to describe a topic. This 
PR starts authorizer earlier to ensure that authorization is performed by the 
group coordinator. Also adds integration tests for verification.
   
   Note that we still have a second issue when members have different 
permissions. If regex is resolved by a member with permission to more topics, 
unauthorized topics may be assigned to members with lower permissions. In this 
case, we still return assignment containing topic id and partitions to the 
member without `Topic:Describe` access. This is not addressed by this PR, but 
an integration test that illustrates the issue has been added so that we can 
verify when the issue is fixed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to