Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-12907

Cannot lockdown access to topic creation using Kafka ACLs

Attach filesAttach ScreenshotAdd voteVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.6.1
    • None
    • admin, security

    Description

      We're using Apache Kafka 2.6.1 clusters.

       

      We set a certain identity to have all privileges to a cluster by running this command:-

      ➜  bin/kafka-acls.sh --bootstrap-server kafka-cluster:9094 --command-config ../kafka-admin.properties --add --allow-principal User:CN=kafka-admin --operation All --cluster 

       

      According to this page - https://docs.confluent.io/platform/current/kafka/authorization.html#operations - we figured that this would give only the "kafka-admin" identity the privilege to create/delete topics, and to create/delete ACLs, among other privileges. We noticed that most privileges like creating/deleting/describing ACLs, listing groups, etc., are locked down to this identity as expected, however topic creation is not. Meaning, any identity (that is not "kafka-admin") with a valid cert can still create topics.

       

      This means that if a rogue client were to get hold of a cert with an identity that is not the admin identity, that client can create a topic and send terabytes worth of data to the topic to severely affect the cluster's performance, and with that, the other co-tenants' performance too. This is not an ideal scenario for us as Kafka admins since we would like to lockdown topic creation access only to identities with certificates that we possess. 

       

      We're wondering if there's a workaround to this solution currently (like whether we're probably missing a config somewhere), or if this is an open issue that needs a fix.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            Unassigned Unassigned
            krkinnal Krishna Kinnal

            Dates

              Created:
              Updated:

              Issue deployment