kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ted Yu <yuzhih...@gmail.com>
Subject Re: Kafka Authorizer interface review
Date Tue, 03 Apr 2018 17:17:10 GMT
bq. you too are concerned about the current delete record/topic limitation

Yes.
I think this is a security hole.

On Tue, Apr 3, 2018 at 9:37 AM, Mickael Maison <mickael.maison@gmail.com>
wrote:

> Yes this is indeed a typo!
>
> And yes we're considering filing another KIP but I thought collecting
> all our feedback and providing a full summary might be beneficial for
> others.
> I see you too are concerned about the current delete record/topic
> limitation.
>
> On Tue, Apr 3, 2018 at 5:26 PM, Ted Yu <yuzhihong@gmail.com> wrote:
> > bq. There is now way to distinguish between topic and record deletion.
> >
> > I guess you meant 'no way' above.
> > I think deleting a topic has higher impact than deleting records.
> >
> > Have you considered filing KIP to distinguish the two operations ?
> >
> > Cheers
> >
> > On Tue, Apr 3, 2018 at 9:22 AM, Mickael Maison <mickael.maison@gmail.com
> >
> > wrote:
> >
> >> Hi all,
> >>
> >> Over the past few months the IBM Message Hub team has "played quite a
> >> bit" with the pluggable Authorizer interface and I'll try to give a
> >> summary of our findings.
> >>
> >> First when implementing a custom Authorizer, we found it hard having a
> >> global view of all the Resource/Operation required for each ApiKey. We
> >> ended up building a table (by looking at KafkaApis.scala) of all the
> >> combinations that can be triggered. We posted this table in the wiki,
> >> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Authorizations,
> >> hopefully that will help others too.
> >>
> >> We found the overview it provides necessary and it should probably be
> >> in the docs/javadocs.
> >>
> >> The biggest limitation for us were the permissions required to create
> >> topics. This is what we targeted with KIP-277:
> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> >> 277+-+Fine+Grained+ACL+for+CreateTopics+API
> >>
> >> Some of our other findings:
> >> - There is now way to distinguish between topic and record deletion.
> >> If a Principal has Delete on a Topic, it can do both. With regulations
> >> like GDPR, we can expect the DeleteRecords API to gain popularity and
> >> it's a bit scary that it also allows to delete the topic.
> >> - We also can't distinguish between DescribeLogDirs, DescribeAcls and
> >> ListGroups as they both require Describe on the Cluster resource.
> >> While ListGroups is pretty common for "normal" users, the other 2 are
> >> a bit more on the admin side.
> >> - OffsetCommit only requires Read on Group even though it's
> >> technically a write operation. I think this was already discussed at
> >> some point on the mailing list.
> >>
> >> Changing permissions is an expensive process and so far we've not
> >> attempted to come up with alternatives (apart from KIP-277). There is
> >> also a balance between granularity and ease of use, requiring
> >> administrators to set and maintain many permissions is not really an
> >> improvement!
> >>
> >> Thanks
> >>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message