You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "Jason Gustafson (JIRA)" <ji...@apache.org> on 2017/07/31 21:38:00 UTC

[jira] [Commented] (KAFKA-5638) Inconsistency in consumer group related ACLs

    [ https://issues.apache.org/jira/browse/KAFKA-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16108007#comment-16108007 ] 

Jason Gustafson commented on KAFKA-5638:
----------------------------------------

[~vahid] Interesting point. Maybe we could just extend the current behavior? If the user has {{Describe(Cluster)}}, we can list all groups as we do currently. Otherwise, we can restrict the set of groups to only those that the user has {{Describe(Group)}} permission for?

> Inconsistency in consumer group related ACLs
> --------------------------------------------
>
>                 Key: KAFKA-5638
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5638
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.11.0.0
>            Reporter: Vahid Hashemian
>            Assignee: Vahid Hashemian
>            Priority: Minor
>              Labels: needs-kip
>
> Users can see all groups in the cluster (using consumer group’s {{--list}} option) provided that they have {{Describe}} access to the cluster. It would make more sense to modify that experience and limit what is listed in the output to only those groups they have {{Describe}} access to. The reason is, almost everything else is accessible by a user only if the access is specifically granted (through ACL {{--add}}); and this scenario should not be an exception. The potential change would be updating the minimum required permission of {{ListGroup}} from {{Describe (Cluster)}} to {{Describe (Group)}}.
> We can also look at this issue from a different angle: A user with {{Read}} access to a group can describe the group, but the same user would not see anything when listing groups (assuming there is no {{Describe}} access to the cluster). It makes more sense for this user to be able to list all groups s/he can already describe.
> It would be great to know if any user is relying on the existing behavior (listing all consumer groups using a {{Describe (Cluster)}} ACL).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)