kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vahid Hashemian (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KAFKA-5638) Inconsistency in consumer group related ACLs
Date Thu, 03 Aug 2017 19:18:00 GMT

    [ https://issues.apache.org/jira/browse/KAFKA-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113333#comment-16113333
] 

Vahid Hashemian commented on KAFKA-5638:
----------------------------------------

The current usage is probably not incorrect, because the implication you mentioned makes sense.
However, it is inconsistent. I also don't know of any other inferred permission like this
one. That's the reason I raised the issue. Unless there is a big push back, I would like to
take the KIP approach and fix this inconsistency by dropping the {{Describe(Cluster)}} check
from the API and introducing a {{Describe(Group)}} group requirement. If there is push back,
we can do the latter only and implement what you suggested above. If you are okay with this
approach I'll start drafting the KIP.

> Inconsistency in consumer group related ACLs
> --------------------------------------------
>
>                 Key: KAFKA-5638
>                 URL: https://issues.apache.org/jira/browse/KAFKA-5638
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.11.0.0
>            Reporter: Vahid Hashemian
>            Assignee: Vahid Hashemian
>            Priority: Minor
>              Labels: needs-kip
>
> Users can see all groups in the cluster (using consumer group’s {{--list}} option)
provided that they have {{Describe}} access to the cluster. It would make more sense to
modify that experience and limit what is listed in the output to only those groups they have {{Describe}} access
to. The reason is, almost everything else is accessible by a user only if the access is specifically
granted (through ACL {{--add}}); and this scenario should not be an exception. The potential
change would be updating the minimum required permission of {{ListGroup}} from {{Describe (Cluster)}}
to {{Describe (Group)}}.
> We can also look at this issue from a different angle: A user with {{Read}} access
to a group can describe the group, but the same user would not see anything when listing groups
(assuming there is no {{Describe}} access to the cluster). It makes more sense for this
user to be able to list all groups s/he can already describe.
> It would be great to know if any user is relying on the existing behavior (listing all
consumer groups using a {{Describe (Cluster)}} ACL).



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message