You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Manikumar (Jira)" <ji...@apache.org> on 2021/09/15 07:27:00 UTC
[jira] [Commented] (KAFKA-13300) Kafka ACL Restriction Group Is not
being applied
[ https://issues.apache.org/jira/browse/KAFKA-13300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17415352#comment-17415352 ]
Manikumar commented on KAFKA-13300:
-----------------------------------
kafka-acls.sh command {{"--add"}} option is for adding an acl and {{"--remove"}} is to remove an existing acl.
Consuming from a group without read permission should fail unless we configure {{"allow.everyone.if.no.acl.found=true"}}
https://kafka.apache.org/documentation/#security_authz
I am not able to reproduce the issue. Can you attach the{{ server.properties file}} and steps to reproduce the issue.
> Kafka ACL Restriction Group Is not being applied
> ------------------------------------------------
>
> Key: KAFKA-13300
> URL: https://issues.apache.org/jira/browse/KAFKA-13300
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.6.2
> Reporter: Adriano Jesus
> Priority: Minor
>
> Hi,
> I am creating a KAFKA ACL with a fake group restriction as above:
>
> {code:java}
> ./kafka-acls.sh \
> --authorizer-properties zookeeper.connect=$ZOOKEEPER \
> --remove --allow-principal User:'Kafka-tools' \
> --consumer --group fake-group \
> --topic delete-me-2
> {code}
>
> When I try to consume a message with the same user, 'Kafka-tools', and with another group I am still able to consume the messages:
> {code:java}
> // ./kafka-console-consumer.sh --bootstrap-server=$KAFKA --topic delete-me-2 --consumer.config user-auth.properties --from-beginning --group teste
> {code}
> According to documentation this property can be used as consumer group ([https://docs.confluent.io/platform/current/kafka/authorization.html):]
> "*Group*
> Groups in the brokers. All protocol calls that work with groups, such as joining a group, must have corresponding privileges with the group in the subject. Group ({{group.id}}) can mean Consumer Group, Stream Group ({{application.id}}), Connect Worker Group, or any other group that uses the Consumer Group protocol, like Schema Registry cluster."
> I did another test adding a consumer act permission with this command:
> {code:java}
> ./kafka-acls.sh \
> --authorizer-properties zookeeper.connect=$ZOOKEEPER \
> --add --allow-principal User:'Kafka-tools' \
> --consumer --group fake-group \
> --topic delete-me-2
> {code}
> After that I removed the ACL authorization to READ operation for Group resource. I tried again to consume from this topic. And still being able to consume message from this topic even though without READ group permission.
> Maybe my interpretation is wrong. But it seens that Kafka ACL is validating the group permissions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)