[
https://issues.apache.org/jira/browse/KAFKA-19147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rajini Sivaram resolved KAFKA-19147.
------------------------------------
Fix Version/s: 4.1.0
Reviewer: David Jacot
Resolution: Fixed
> ConsumerGroupHeartbeat API leaks topic id and partition count of unauthorized
> topics
> ------------------------------------------------------------------------------------
>
> Key: KAFKA-19147
> URL: https://issues.apache.org/jira/browse/KAFKA-19147
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 4.0.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Major
> Fix For: 4.1.0, 4.0.1
>
>
> KAFKA-18813 added Topic:Describe authorization of topics matching regex
> patterns to the group coordinator since it was difficult to authorize these
> in the broker when processing the new consumer heartbeat. But group
> coordinator is started in BrokerServer before the authorizer is created. And
> hence group coordinator doesn't have an authorizer and never performs
> authorization. As a result, topics that are not authorized for Describe may
> be assigned to consumers. This potentially leaks information about topic
> existence, topic id and partition count to users who are not authorized to
> describe a topic.
>
> We are missing an integration test for this case.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
