kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-4585) KIP-163: Offset fetch and commit requests use the same permissions
Date Fri, 11 Aug 2017 20:48:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-4585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16124016#comment-16124016
] 

ASF GitHub Bot commented on KAFKA-4585:
---------------------------------------

GitHub user vahidhashemian opened a pull request:

    https://github.com/apache/kafka/pull/3661

    KAFKA-4585: Lower the Minimum Required ACL Permission of OffsetFetch (KIP-163)

    Details can be found in the [KIP](https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch).

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/vahidhashemian/kafka KAFKA-4585

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/kafka/pull/3661.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #3661
    
----
commit be9e43db15952122836618520b7a166641c9914d
Author: Vahid Hashemian <vahidhashemian@us.ibm.com>
Date:   2017-08-11T20:32:56Z

    KAFKA-4585: Lower the Minimum Required ACL Permission of OffsetFetch (KIP-163)
    
    Details can be found in the [KIP](https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch).

----


> KIP-163: Offset fetch and commit requests use the same permissions
> ------------------------------------------------------------------
>
>                 Key: KAFKA-4585
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4585
>             Project: Kafka
>          Issue Type: Bug
>          Components: consumer
>    Affects Versions: 0.10.1.1
>            Reporter: Ewen Cheslack-Postava
>            Assignee: Vahid Hashemian
>              Labels: kip
>
> Currently the handling of permissions for consumer groups seems a bit odd because most
of the requests use the Read permission on the Group (join, sync, heartbeat, leave, offset
commit, and offset fetch). This means you cannot lock down certain functionality for certain
users. For this issue I'll highlight a realistic issue since conflating the ability to perform
most of these operations may not be a serious issue.
> In particular, if you want tooling for monitoring offsets (i.e. you want to be able to
read from all groups) but don't want that tool to be able to write offsets, you currently
cannot achieve this. Part of the reason this seems odd to me is that any operation which can
mutate state seems like it should be a Write operation (i.e. joining, syncing, leaving, and
committing; maybe heartbeat as well). However, [~hachikuji] has mentioned that the use of
Read may have been intentional. If that is the case, changing at least offset fetch to be
a Describe operation instead would allow isolating the mutating vs non-mutating request types.
> Note that this would require a KIP and would potentially have some compatibility implications.
Note however, that if we went with the Describe option, Describe is allowed by default when
Read, Write, or Delete are allowed, so this may not have to have any compatibility issues
(if the user previously allowed Read, they'd still have all the same capabilities as before).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message