[jira] [Assigned] (KAFKA-10491) Check authorizations before other criteria in KafkaApis

Ron Dagostino (Jira) Thu, 17 Sep 2020 09:09:15 -0700


     [ 
https://issues.apache.org/jira/browse/KAFKA-10491?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Ron Dagostino reassigned KAFKA-10491:
-------------------------------------

    Assignee: Ron Dagostino

> Check authorizations before other criteria in KafkaApis
> -------------------------------------------------------
>
>                 Key: KAFKA-10491
>                 URL: https://issues.apache.org/jira/browse/KAFKA-10491
>             Project: Kafka
>          Issue Type: Improvement
>            Reporter: David Arthur
>            Assignee: Ron Dagostino
>            Priority: Minor
>
> In KafkaApis#handleAlterUserScramCredentialsRequest we check if the current 
> broker is the controller before checking if the request is authorized. This 
> is a potential information leak about details of the system (i.e., who is the 
> controller). We should fix this to check the authz first.
> [~hachikuji] pointed this out during the review for AlterIsr since I had 
> followed the pattern in handleAlterUserScramCredentialsRequest. 
> We should fix handleAlterUserScramCredentialsRequest and audit the rest of 
> KafkaApis for similar patterns.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Assigned] (KAFKA-10491) Check authorizations before other criteria in KafkaApis

Reply via email to