[
https://issues.apache.org/jira/browse/KAFKA-5246?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andy Coates updated KAFKA-5246:
-------------------------------
Resolution: Won't Fix
Status: Resolved (was: Patch Available)
Discussions on PR mean we're closing this without fixing. Work around is to use
ACLs to lock down the __consumer_offset topic to only allow required use-cases
direct access to produce to it.
> Remove backdoor that allows any client to produce to internal topics
> ---------------------------------------------------------------------
>
> Key: KAFKA-5246
> URL: https://issues.apache.org/jira/browse/KAFKA-5246
> Project: Kafka
> Issue Type: Bug
> Components: core
> Affects Versions: 0.10.0.0, 0.10.0.1, 0.10.1.0, 0.10.1.1, 0.10.2.0,
> 0.10.2.1
> Reporter: Andy Coates
> Assignee: Andy Coates
> Priority: Minor
>
> kafka.admim.AdminUtils defines an ‘AdminClientId' val, which looks to be
> unused in the code, with the exception of a single use in KafkaAPis.scala in
> handleProducerRequest, where is looks to allow any client, using the special
> ‘__admin_client' client id, to append to internal topics.
> This looks like a security risk to me, as it would allow any client to
> produce either rouge offsets or even a record containing something other than
> group/offset info.
> Can we remove this please?
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
