DUE TO SPAM, SIGN-UP IS DISABLED. Goto Selfserve wiki signup and request an account.
This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.
Status
Current state: Draft
Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]
JIRA: here
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Currently, Kafka has a backdoor mechanism that allow any client with client ID `__admin_client` to producer to internal topics, bypassing normal internal topic protection. This backdoor can cause several security issues and operation concerns
- Security Vulnerability
- A malicious or misconfigured client can impersonate the admin client and produce to or consume from internal topics such as: __consumer_offsets, __transaction_state,
__share_group_state. This may lead to data corruption, invalid state transitions, or disruption of core Kafka functionality.
- A malicious or misconfigured client can impersonate the admin client and produce to or consume from internal topics such as: __consumer_offsets, __transaction_state,
- Operational Risk
No differentiation between legitimate admin tools and malicious clients
Difficult to debug when internal topics are corrupted
- Limited Legitimate Use Cases
- The legitimate use cases for producing to internal topics are:
- Coordinator: Group coordinator, Transaction Coordinator, Share Coordinator - these already use internalTopicsAllows = true with AppendOrigin.COORDINATOR
- Admin tools: Should use proper APIs instead of relying on client ID
- Internal Kafka operation: These use the appropriate append method with proper flags
There is no documented legitimate reason for external clients to produce to internal topics.
Public Interfaces
No public interfaces change
Proposed Changes
Add Warning Logs: When use __admin_client produce to internal topics.
- Add deprecate note: Add to upgrade note and documentation that this backdoor is deprecated at 4.x and will be removed at 5.0
Compatibility, Deprecation, and Migration Plan
This will be deprecated at 4.x and remove at 5.0.
This breaking change will happened at major release so it is acceptable change.
Test Plan
No test required.
Rejected Alternatives
- Replace client ID check with a configurable whitelist of client IDs.
- Make the backdoor feature configurable.