Skip to content

KAFKA-19147: Start authorizer before group coordinator to ensure coordinator authorizes regex topics #19488

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 16, 2025
Merged

KAFKA-19147: Start authorizer before group coordinator to ensure coordinator authorizes regex topics #19488

merged 1 commit into from
Apr 16, 2025

Conversation

rajinisivaram
Copy link
Contributor

@rajinisivaram rajinisivaram commented Apr 16, 2025
edited by github-actions bot
Loading

KAFKA-18813 added
Topic:Describe authorization of topics matching regex patterns to the
group coordinator since it was difficult to authorize these in the
broker when processing consumer heartbeats using the new protocol. But
group coordinator is started in BrokerServer before the authorizer is
created. And hence group coordinator doesn't have an authorizer and
never performs authorization. As a result, topics that are not
authorized for Describe may be assigned to consumers. This potentially
leaks information about topic existence, topic id and partition count to
users who are not authorized to describe a topic. This PR starts
authorizer earlier to ensure that authorization is performed by the
group coordinator. Also adds integration tests for verification.

Note that we still have a second issue when members have different
permissions. If regex is resolved by a member with permission to more
topics, unauthorized topics may be assigned to members with lower
permissions. In this case, we still return assignment containing topic
id and partitions to the member without Topic:Describe access. This is
not addressed by this PR, but an integration test that illustrates the
issue has been added so that we can verify when the issue is fixed.

Reviewers: David Jacot [email protected]

@github-actions github-actions bot added triage PRs from the community core Kafka Broker labels Apr 16, 2025
@rajinisivaram rajinisivaram requested a review from dajac April 16, 2025 11:42
@dajac dajac added KIP-848 The Next Generation of the Consumer Rebalance Protocol and removed triage PRs from the community labels Apr 16, 2025
dajac
dajac approved these changes Apr 16, 2025
View reviewed changes
Copy link
Member

@dajac dajac left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, thanks!

@rajinisivaram
Copy link
Contributor Author

@dajac Thanks for the review, merging to trunk and 4.0.

@rajinisivaram rajinisivaram merged commit 4b2a310 into apache:trunk Apr 16, 2025
25 checks passed
rajinisivaram added a commit that referenced this pull request Apr 16, 2025
@rajinisivaram
KAFKA-19147: Start authorizer before group coordinator to ensure coor…
f98dec9 
…dinator authorizes regex topics (#19488)

[KAFKA-18813](https://issues.apache.org/jira/browse/KAFKA-18813) added
`Topic:Describe` authorization of topics matching regex patterns to the
group coordinator since it was difficult to authorize these in the
broker when processing consumer heartbeats using the new protocol. But
group coordinator is started in `BrokerServer` before the authorizer is
created. And hence group coordinator doesn't have an authorizer and
never performs authorization. As a result, topics that are not
authorized for `Describe` may be assigned to consumers. This potentially
leaks information about topic existence, topic id and partition count to
users who are not authorized to describe a topic. This PR starts
authorizer earlier to ensure that authorization is performed by the
group coordinator. Also adds integration tests for verification.

Note that we still have a second issue when members have different
permissions. If regex is resolved by a member with permission to more
topics, unauthorized topics may be assigned to members with lower
permissions. In this case, we still return assignment containing topic
id and partitions to the member without `Topic:Describe` access. This is
not addressed by this PR, but an integration test that illustrates the
issue has been added so that we can verify when the issue is fixed.

Reviewers: David Jacot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dajac dajac dajac approved these changes

Assignees
No one assigned
Labels
core Kafka Broker KIP-848 The Next Generation of the Consumer Rebalance Protocol
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rajinisivaram @dajac