David Arthur created KAFKA-10491:
------------------------------------
Summary: Check authorizations before other criteria in KafkaApis
Key: KAFKA-10491
URL: https://issues.apache.org/jira/browse/KAFKA-10491
Project: Kafka
Issue Type: Improvement
Reporter: David Arthur
In KafkaApis#handleAlterUserScramCredentialsRequest we check if the current
broker is the controller before checking if the request is authorized. This is
a potential information leak about details of the system (i.e., who is the
controller). We should fix this to check the authz first.
[~hachikuji] pointed this out during the review for AlterIsr since I had
followed the pattern in handleAlterUserScramCredentialsRequest.
We should fix handleAlterUserScramCredentialsRequest and audit the rest of
KafkaApis for similar patterns.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
