CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are cribbed directly (though by hand, so not infallibly!) from mainline kafka. In plain english, to add offsets to the transaction, you need WRITE permissions for the transactional ID and READ permissions for the group.

To be perfectly honest I’m not 100% on the semantics here, but, to my understanding, the request is ill-formed if those conditions aren’t met.