search

tchiotludo / akhq

Kafka GUI for Apache Kafka to manage topics, topics data, consumers group, schema registry, connect and more...
https://akhq.io/
Apache License 2.0
3.41k stars 660 forks source link

Missing checks for permission on GroupController #1936

Closed alwibrm closed 1 month ago

alwibrm commented 2 months ago

With the following role definitions:

      group-read:
        - resources:
            - CONSUMER_GROUP
          actions:
            - READ
      offset-reset:
        - resources:
            - CONSUMER_GROUP
          actions:
            - UPDATE_OFFSET
            - DELETE_OFFSET

and the following group definitions:

      akhq-reader:
        - role: group-read
      akhq-manager:
        - role: offset-reset
          patterns:
            - ^myconsumergroup.*$

a user assigned to both groups (akhq-reader and akhq-manager) can update the offset of any and all topics, even when they're not matching the pattern of "^myconsumergroup.*$".

Most of the controllers are implementing permission checks by callig AbstractController#checkIfClusterAndResourceAllowed. This checks seem to be missing in the GroupController.