[KAFKA-5336] ListGroup requires Describe on Cluster, but the command-line AclCommand tool does not allow this to be set - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: 0.10.2.1
Fix Version/s: 0.11.0.0
Component/s: security
Labels:
None

Description

The ListGroup API authorizes requests with Describe access to the cluster resource:

  def handleListGroupsRequest(request: RequestChannel.Request) {
    if (!authorize(request.session, Describe, Resource.ClusterResource)) {
      sendResponseMaybeThrottle(request, requestThrottleMs =>
        ListGroupsResponse.fromError(requestThrottleMs, Errors.CLUSTER_AUTHORIZATION_FAILED))
    } else {
      ...

However, the list of operations (or permissions) allowed for the cluster resource does not include Describe:

  val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] (
    ...
    Cluster -> Set(Create, ClusterAction, DescribeConfigs, AlterConfigs, IdempotentWrite, All),
    ...
  )

Only a user with All cluster permission can successfully call the ListGroup API. No other permission (not even any combination that does not include All) would let user use this API.

The bug could be as simple as a typo in the API handler. Though it's not obvious what actual permission was meant to be used there (perhaps DescribeConfigs?)

Attachments

Issue Links

duplicates

KAFKA-5292 Fix authorization checks in AdminClient

Resolved

Activity

People

Assignee:: Vahid Hashemian

Reporter:: Vahid Hashemian

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 26/May/17 23:44

Updated:: 18/Jun/17 09:18

Resolved:: 18/Jun/17 09:18