[jira] [Commented] (KAFKA-8719) kafka-console-consumer bypassing sentry evaluations while specifying --partition option

Thu, 29 Aug 2019 23:43:22 -0700 


    [ 
https://issues.apache.org/jira/browse/KAFKA-8719?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16919261#comment-16919261
 ] 

Sathish commented on KAFKA-8719:
--------------------------------

[~huxi_2b] with latest version the --partition and --consumer-property 
group.id=<some-group-id> is not allowed to pass together - So with latest 
version it is good. Also, while passing the --partition <partition ID> it does 
not follow the actual semantics of consumer group as it directly assigns the 
partition to itself without consumer group.  And since I had read privilege in 
sentry for that topic - I was able to consume the messages.

Here all are working as expected except the validation in 
kafka-console-consumer (which should restrict user to pass both --partition and 
--consumer-property group.id=<some-group-id> together ) This is resolved in 
newest versions 

Overall - everything is working as expected - we are good to close this JIRA

> kafka-console-consumer bypassing sentry evaluations while specifying 
> --partition option
> ---------------------------------------------------------------------------------------
>
>                 Key: KAFKA-8719
>                 URL: https://issues.apache.org/jira/browse/KAFKA-8719
>             Project: Kafka
>          Issue Type: Bug
>          Components: consumer, tools
>            Reporter: Sathish
>            Priority: Major
>              Labels: kafka-console-cons
>
> While specifying --partition option on kafka-console-consumer, it is 
> bypassing the sentry evaluations and making the users to consume messages 
> freely. Even though a consumer group does not have access to consume messages 
> from topics --partition option bypassing the evaluation
> Example command used:
> #kafka-console-consumer  --topic booktopic1 --consumer.config 
> consumer.properties --bootstrap-server <broker-host>:9092 --from-beginning 
> --consumer-property group.id=spark-kafka-111 --partition 0
> This succeeds even though, if spark-kafka-111 does not have any access on 
> topic booktopic1
> whereas 
> #kafka-console-consumer  --topic booktopic1 --consumer.config 
> consumer.properties --bootstrap-server <broker-host>:9092 --from-beginning 
> --consumer-property group.id=spark-kafka-111
> Fails with topic authorisation issues



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

Reply via email to