You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Vahid Hashemian (JIRA)" <ji...@apache.org> on 2018/02/05 18:47:00 UTC
[jira] [Updated] (KAFKA-5638) Inconsistency in consumer group
related ACLs
[ https://issues.apache.org/jira/browse/KAFKA-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vahid Hashemian updated KAFKA-5638:
-----------------------------------
Fix Version/s: (was: 1.1.0)
1.2.0
> Inconsistency in consumer group related ACLs
> --------------------------------------------
>
> Key: KAFKA-5638
> URL: https://issues.apache.org/jira/browse/KAFKA-5638
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.11.0.0, 1.0.0
> Reporter: Vahid Hashemian
> Assignee: Vahid Hashemian
> Priority: Minor
> Labels: kip
> Fix For: 1.2.0
>
>
> Users can see all groups in the cluster (using consumer group’s {{--list}} option) provided that they have {{Describe}} access to the cluster. It would make more sense to modify that experience and limit what is listed in the output to only those groups they have {{Describe}} access to. The reason is, almost everything else is accessible by a user only if the access is specifically granted (through ACL {{--add}}); and this scenario should not be an exception. The potential change would be updating the minimum required permission of {{ListGroup}} from {{Describe (Cluster)}} to {{Describe (Group)}}.
> We can also look at this issue from a different angle: A user with {{Read}} access to a group can describe the group, but the same user would not see anything when listing groups (assuming there is no {{Describe}} access to the cluster). It makes more sense for this user to be able to list all groups s/he can already describe.
> It would be great to know if any user is relying on the existing behavior (listing all consumer groups using a {{Describe (Cluster)}} ACL).
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)