kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vahid Hashemian (JIRA)" <j...@apache.org>
Subject [jira] [Created] (KAFKA-5638) Inconsistency in consumer group related ACLs
Date Tue, 25 Jul 2017 18:23:00 GMT
Vahid Hashemian created KAFKA-5638:

             Summary: Inconsistency in consumer group related ACLs
                 Key: KAFKA-5638
                 URL: https://issues.apache.org/jira/browse/KAFKA-5638
             Project: Kafka
          Issue Type: Bug
          Components: security
    Affects Versions:
            Reporter: Vahid Hashemian
            Assignee: Vahid Hashemian
            Priority: Minor

Users can see all groups in the cluster (using consumer group’s {{--list}} option) provided
that they have {{Describe}} access to the cluster. It would make more sense to modify that
experience and limit what is listed in the output to only those groups they have {{Describe}} access
to. The reason is, almost everything else is accessible by a user only if the access is specifically
granted (through ACL {{--add}}); and this scenario should not be an exception. The potential
change would be updating the minimum required permission of {{ListGroup}} from {{Describe (Cluster)}}
to {{Describe (Group)}}.

We can also look at this issue from a different angle: A user with {{Read}} access to a
group can describe the group, but the same user would not see anything when listing groups
(assuming there is no {{Describe}} access to the cluster). It makes more sense for this
user to be able to list all groups s/he can already describe.

It would be great to know if any user is relying on the existing behavior (listing all consumer
groups using a {{Describe (Cluster)}} ACL.

This message was sent by Atlassian JIRA

View raw message