[
https://issues.apache.org/jira/browse/KAFKA-5246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18035536#comment-18035536
]
Chia-Ping Tsai commented on KAFKA-5246:
---------------------------------------
After eight years, shouldn't we reassess this "backdoor"? The growing number of
internal topics is enlarging its scope. I suggest filing a KIP to remove it,
especially since we have specific RPCs available to alter those topics
> Remove backdoor that allows any client to produce to internal topics
> ---------------------------------------------------------------------
>
> Key: KAFKA-5246
> URL: https://issues.apache.org/jira/browse/KAFKA-5246
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 0.10.0.0, 0.10.0.1, 0.10.1.0, 0.10.1.1, 0.10.2.0,
> 0.10.2.1
> Reporter: Andy Coates
> Assignee: Andy Coates
> Priority: Minor
>
> kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be
> unused in the code, with the exception of a single use in KafkaAPis.scala in
> handleProducerRequest, where is looks to allow any client, using the special
> ‘__admin_client' client id, to append to internal topics.
> This looks like a security risk to me, as it would allow any client to
> produce either rouge offsets or even a record containing something other than
> group/offset info.
> Can we remove this please?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
