ACL permissions bypass

[Gustavo Ferreira <Gu...@curve.com>]

Hi all,

While debugging an issue in our dev environment, I came to the realization
that we are not setting the DESCRIBE ACL permission for a given
topic/service-account mapping, yet the consumer is able to fetch messages
from that topic without any issues.

The documentation says this topic ACL allows for the following API
requests: ListOffsets, Metadata, OffsetFetch.

These are all API calls that a consumer makes during normal operations and
we are indeed able to successfully get responses to these calls without
granting the TOPIC DESCRIBE ACL to the topic/service-account being used by
the consumer.

Ref:
https://docs.confluent.io/platform/current/kafka/authorization.html#operations

Best regards,
Gustavo