Konstantin Morozov created KAFKA-18496:
------------------------------------------
Summary: Using ACL and StandardAuthorizer with PLAINTEXT
Key: KAFKA-18496
URL: https://issues.apache.org/jira/browse/KAFKA-18496
Project: Kafka
Issue Type: Improvement
Reporter: Konstantin Morozov
Attachments: NonStandardAuthorizer.java
It is not intended, but possible to use ACL and StandardAuthorizer with
PLAINTEXT. As an example I've created an class, extending StandardAuthorizer
that avoids limitations of PrincipalBuilder of PLAINTEXT.
But there are several cases, when StandardAuthorizer::authorize methods invokes
with empty List<Action> actions, e.g. when AuthHelper::filterByAuthorized
invoked for DESCRIBE AclOperation with empth resouces list (it is possible in
brocker registration process and in add ACL). As a result, context of security
request in Authorizer is lost, and method StandardAuthorizer::authorize dont
knows which action to authorise.
My w/a creates fake principal with fake ResourcePattern with type LITERAL,
because ANY is not allowed in constructor. I suggest add check if resource is
empty and pass to Authorizer some valid placeholder.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
