Rajini Sivaram created KAFKA-19147:
--------------------------------------
Summary: ConsumerGroupHeartbeat API leaks topic id and partition
count of unauthorized topics
Key: KAFKA-19147
URL: https://issues.apache.org/jira/browse/KAFKA-19147
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 4.0.0
Reporter: Rajini Sivaram
Assignee: Rajini Sivaram
Fix For: 4.0.1
KAFKA-18813 added Topic:Describe authorization of topics matching regex
patterns to the group coordinator since it was difficult to authorize these in
the broker when processing the new consumer heartbeat. But group coordinator is
started in BrokerServer before the authorizer is created. And hence group
coordinator doesn't have an authorizer and never performs authorization. As a
result, topics that are not authorized for Describe may be assigned to
consumers. This potentially leaks information about topic existence, topic id
and partition count to users who are not authorized to describe a topic.
We are missing an integration test for this case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
