Description
The ListGroup API authorizes requests with Describe access to the cluster resource:
def handleListGroupsRequest(request: RequestChannel.Request) { if (!authorize(request.session, Describe, Resource.ClusterResource)) { sendResponseMaybeThrottle(request, requestThrottleMs => ListGroupsResponse.fromError(requestThrottleMs, Errors.CLUSTER_AUTHORIZATION_FAILED)) } else { ...
However, the list of operations (or permissions) allowed for the cluster resource does not include Describe:
val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] ( ... Cluster -> Set(Create, ClusterAction, DescribeConfigs, AlterConfigs, IdempotentWrite, All), ... )
Only a user with All cluster permission can successfully call the ListGroup API. No other permission (not even any combination that does not include All) would let user use this API.
The bug could be as simple as a typo in the API handler. Though it's not obvious what actual permission was meant to be used there (perhaps DescribeConfigs?)
Attachments
Issue Links
- duplicates
-
KAFKA-5292 Fix authorization checks in AdminClient
- Resolved