HeartSaVioR commented on pull request #29729: URL: https://github.com/apache/spark/pull/29729#issuecomment-696425757
Kafka consumer in executors also use assign, and Kafka checks group id authorization even with assign although group.id is not needed at all. There's an interesting observation though... Please refer https://github.com/apache/spark/pull/28623#issuecomment-633257746 If you do "assign", the group id authorization is "conditionally" checked according to the usage pattern, and executors don't trigger authorization even it's using "assign" and passes group id. Driver triggers authorization even for "assign". Would we consider this as Kafka's bug? If then is it something we should be aware and have workaround? Btw, if they're pretty serious about the security, I think it's already insecure if attackers can successfully create AdminClient and request informations about topics which will be done in driver. Attackers will even be able to delete something like topics. They should have secured their Kafka via user based ACL or so & allowed operation set, not via group id. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
