[
https://issues.apache.org/jira/browse/KAFKA-18496?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Konstantin Morozov updated KAFKA-18496:
---------------------------------------
Description:
It is not intended, but possible to use ACL and StandardAuthorizer with
PLAINTEXT. As an example I've created an class, extending StandardAuthorizer
that avoids limitations of PrincipalBuilder of PLAINTEXT.
But there are several cases, when StandardAuthorizer::authorize methods invokes
with empty List<Action> actions, e.g. when AuthHelper::filterByAuthorized
invoked for DESCRIBE AclOperation with empth resouces list (it is possible in
brocker registration process and in add ACL). As a result, context of security
request in Authorizer is lost, and method StandardAuthorizer::authorize dont
knows which action to authorize.
My w/a creates fake principal with fake ResourcePattern with type LITERAL,
because ANY is not allowed in constructor. I suggest add check if resource is
empty and pass to Authorizer some valid placeholder.
was:
It is not intended, but possible to use ACL and StandardAuthorizer with
PLAINTEXT. As an example I've created an class, extending StandardAuthorizer
that avoids limitations of PrincipalBuilder of PLAINTEXT.
But there are several cases, when StandardAuthorizer::authorize methods invokes
with empty List<Action> actions, e.g. when AuthHelper::filterByAuthorized
invoked for DESCRIBE AclOperation with empth resouces list (it is possible in
brocker registration process and in add ACL). As a result, context of security
request in Authorizer is lost, and method StandardAuthorizer::authorize dont
knows which action to authorise.
My w/a creates fake principal with fake ResourcePattern with type LITERAL,
because ANY is not allowed in constructor. I suggest add check if resource is
empty and pass to Authorizer some valid placeholder.
> Using ACL and StandardAuthorizer with PLAINTEXT
> -----------------------------------------------
>
> Key: KAFKA-18496
> URL: https://issues.apache.org/jira/browse/KAFKA-18496
> Project: Kafka
> Issue Type: Improvement
> Reporter: Konstantin Morozov
> Priority: Minor
> Attachments: NonStandardAuthorizer.java
>
>
> It is not intended, but possible to use ACL and StandardAuthorizer with
> PLAINTEXT. As an example I've created an class, extending StandardAuthorizer
> that avoids limitations of PrincipalBuilder of PLAINTEXT.
> But there are several cases, when StandardAuthorizer::authorize methods
> invokes with empty List<Action> actions, e.g. when
> AuthHelper::filterByAuthorized invoked for DESCRIBE AclOperation with empth
> resouces list (it is possible in brocker registration process and in add
> ACL). As a result, context of security request in Authorizer is lost, and
> method StandardAuthorizer::authorize dont knows which action to authorize.
> My w/a creates fake principal with fake ResourcePattern with type LITERAL,
> because ANY is not allowed in constructor. I suggest add check if resource is
> empty and pass to Authorizer some valid placeholder.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
