[KAFKA-14236] ListGroups request produces too much Denied logs in authorizer - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.0
Fix Version/s: 3.4.0
Component/s: core
Labels:
- patch-available

Language:
- scala

Description

Context

On a multi-tenant secured cluster, with many consumers, a call to ListGroups api will log an authorization error for each consumer group of other tenant.

Reason

The handleListGroupsRequest function first tries to authorize a DESCRIBE CLUSTER, and if it fails it will then try to authorize a DESCRIBE GROUP on each consumer group.

Fix

In that case neither the DESCRIBE CLUSTER, nor the DESCRIBE GROUP of other tenant were intended, and should be specified in the Action using logIfDenied: false

Attachments

Issue Links

links to

GitHub Pull Request #12652

Activity

People

Assignee:: Alexandre GRIFFAUT

Reporter:: Alexandre GRIFFAUT

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 16/Sep/22 10:12

Updated:: 14/Feb/23 14:28

Resolved:: 22/Sep/22 00:43