Details
Critical Description
Hello Community,
I'm facing an unexpected situation while working with Kafka ACLs. Despite having provided only read access permissions to the user "rbactest22sep," I've noticed that this user is still able to add ACLs for Kafka topics. Here are the details:
User: rbactest22sep
Current Permissions: Principal=User:rbactest22sep, Host=*, Operation=READ, PermissionType=ALLOW
I attempted to add an ACL for topic creation using the following command:
| kafka-acls.sh - Adding ACLs for resource `ResourcePattern(resourceType=TOPIC, name=,{} patternType=LITERAL)`:{*} (principal=User:rbactest22sep, host=,{} operation=CREATE,{} permissionType=ALLOW){*} |
Where content of /bitnami/kafka/config/rbacuser.properties as below:
| security.protocol=SASL_SSL sasl.mechanism=SCRAM-SHA-256 sasl.jaas.config=org.apache.kafka.common.security.scram.ScramLoginModule required username="rbactest22sep" password="mypass"; ssl.truststore.type=JKS ssl.truststore.location=/opt/bitnami/kafka/config/certs/kafka.truststore.jks
|
The command executed successfully, and the user gained the ability to create topics.
I'm puzzled by this behavior and would appreciate your insights into why this might be happening. Could this be related to Kafka configuration, ACL inheritance, or a misunderstanding of the permissions model?
Also, I'm under the assumption that we need to explicitly give the following permissions to a user to manage ACLs:
| DESCRIBE_ACLS (29) Describe Cluster CREATE_ACLS (30) Alter Cluster DELETE_ACLS (31) Alter Cluster |
Any guidance on how to troubleshoot and resolve this issue, as well as any clarifications on the necessary permissions for managing ACLs, would be greatly appreciated.
Thank you for your help!