You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/07/10 18:47:00 UTC

[jira] [Commented] (KAFKA-5638) Inconsistency in consumer group related ACLs

    [ https://issues.apache.org/jira/browse/KAFKA-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16539086#comment-16539086 ] 

ASF GitHub Bot commented on KAFKA-5638:
---------------------------------------

vahidhashemian opened a new pull request #5352: KAFKA-5638: Improve the Required ACL of ListGroups API (KIP-231)
URL: https://github.com/apache/kafka/pull/5352
 
 
   [KIP-231](https://cwiki.apache.org/confluence/display/KAFKA/KIP-231%3A+Improve+the+Required+ACL+of+ListGroups+API)
   
   ### Committer Checklist (excluded from commit message)
   - [ ] Verify design and implementation 
   - [ ] Verify test coverage and CI build status
   - [ ] Verify documentation (including upgrade notes)

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Inconsistency in consumer group related ACLs
> --------------------------------------------
>
>                 Key: KAFKA-5638
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5638
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.11.0.0, 1.0.0
>            Reporter: Vahid Hashemian
>            Assignee: Vahid Hashemian
>            Priority: Minor
>              Labels: kip
>             Fix For: 2.1.0
>
>
> Users can see all groups in the cluster (using consumer group’s {{--list}} option) provided that they have {{Describe}} access to the cluster. It would make more sense to modify that experience and limit what is listed in the output to only those groups they have {{Describe}} access to. The reason is, almost everything else is accessible by a user only if the access is specifically granted (through ACL {{--add}}); and this scenario should not be an exception. The potential change would be updating the minimum required permission of {{ListGroup}} from {{Describe (Cluster)}} to {{Describe (Group)}}.
> We can also look at this issue from a different angle: A user with {{Read}} access to a group can describe the group, but the same user would not see anything when listing groups (assuming there is no {{Describe}} access to the cluster). It makes more sense for this user to be able to list all groups s/he can already describe.
> It would be great to know if any user is relying on the existing behavior (listing all consumer groups using a {{Describe (Cluster)}} ACL).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)