Uploaded image for project: 'Kafka'
  1. Kafka
  2. KAFKA-5638

Inconsistency in consumer group related ACLs

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 0.11.0.0, 1.0.0
    • Fix Version/s: 2.1.0
    • Component/s: security
    • Labels:

      Description

      Users can see all groups in the cluster (using consumer group’s -list option) provided that they have Describe access to the cluster. It would make more sense to modify that experience and limit what is listed in the output to only those groups they have Describe access to. The reason is, almost everything else is accessible by a user only if the access is specifically granted (through ACL -add); and this scenario should not be an exception. The potential change would be updating the minimum required permission of ListGroup from Describe (Cluster) to Describe (Group).

      We can also look at this issue from a different angle: A user with Read access to a group can describe the group, but the same user would not see anything when listing groups (assuming there is no Describe access to the cluster). It makes more sense for this user to be able to list all groups s/he can already describe.

      It would be great to know if any user is relying on the existing behavior (listing all consumer groups using a Describe (Cluster) ACL).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                vahid Vahid Hashemian
                Reporter:
                vahid Vahid Hashemian
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: