kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vahid Hashemian (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (KAFKA-5638) Inconsistency in consumer group related ACLs
Date Tue, 01 Aug 2017 18:39:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16109479#comment-16109479
] 

Vahid Hashemian edited comment on KAFKA-5638 at 8/1/17 6:38 PM:
----------------------------------------------------------------

[~hachikuji] That should work too, and give us backward compatibility (is this why we would
reject my suggested substitution?). I'm not sure why the required ACL was set to {{Describe(Cluster)}}
in the first place. With your suggested extension I still think the inconsistency is still
there, so in the long run it would make sense to get rid of the required cluster-level ACL
(unless there is a sound logic behind it).

I assume extending the API would still require a KIP.


was (Author: vahid):
[~hachikuji] That should work too, and give us backward compatibility (is this why we would
reject my suggested substitution). I'm not sure why the required ACL was set to {{Describe(Cluster)}}
in the first place. With your suggested extension I still think the inconsistency is still
there, so in the long run it would make sense to get rid of the required cluster-level ACL
(unless there is a sound logic behind it).


> Inconsistency in consumer group related ACLs
> --------------------------------------------
>
>                 Key: KAFKA-5638
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5638
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.11.0.0
>            Reporter: Vahid Hashemian
>            Assignee: Vahid Hashemian
>            Priority: Minor
>              Labels: needs-kip
>
> Users can see all groups in the cluster (using consumer group’s {{--list}} option)
provided that they have {{Describe}} access to the cluster. It would make more sense to
modify that experience and limit what is listed in the output to only those groups they have {{Describe}} access
to. The reason is, almost everything else is accessible by a user only if the access is specifically
granted (through ACL {{--add}}); and this scenario should not be an exception. The potential
change would be updating the minimum required permission of {{ListGroup}} from {{Describe (Cluster)}}
to {{Describe (Group)}}.
> We can also look at this issue from a different angle: A user with {{Read}} access
to a group can describe the group, but the same user would not see anything when listing groups
(assuming there is no {{Describe}} access to the cluster). It makes more sense for this
user to be able to list all groups s/he can already describe.
> It would be great to know if any user is relying on the existing behavior (listing all
consumer groups using a {{Describe (Cluster)}} ACL).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message