This is an automated email from the ASF dual-hosted git repository.
lucasbru pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new e8e4e0b6dba KAFKA-19377:Update /streams/developer-guide/security.html
for KIP-1071 (#20084)
e8e4e0b6dba is described below
commit e8e4e0b6dba77837d7fd97821e10dbee46a4e16e
Author: KTKTK-HZ <[email protected]>
AuthorDate: Thu Jul 17 16:35:46 2025 +0800
KAFKA-19377:Update /streams/developer-guide/security.html for KIP-1071
(#20084)
Added required ACLs for new streams operations:
- STREAMS_GROUP_HEARTBEAT (88) requires:
• READ on Group
• DESCRIBE on Topics
• [Conditional] CREATE on Cluster or Topics
- STREAMS_GROUP_DESCRIBE (89) requires:
• DESCRIBE on Group
• DESCRIBE on Topic
Here is the rendering of the modified document.
Reviewers: Lucas Brutschy <[email protected]>
Co-authored-by: Lucas Brutschy <[email protected]>
---
docs/streams/developer-guide/security.html | 61 +++++++++++++++++++++++++++++-
1 file changed, 60 insertions(+), 1 deletion(-)
diff --git a/docs/streams/developer-guide/security.html
b/docs/streams/developer-guide/security.html
index 13e671fa931..bae4d90b8b2 100644
--- a/docs/streams/developer-guide/security.html
+++ b/docs/streams/developer-guide/security.html
@@ -70,7 +70,65 @@
the ACL set so that the application has the permissions to
create, read and write
<a class="reference internal"
href="manage-topics.html#streams-developer-guide-topics-internal"><span
class="std std-ref">internal topics</span></a>.</p>
- <p>To avoid providing this permission to your application, you
can create the required internal topics manually.
+ <div class="admonition">
+ <p>If the <a class="reference external"
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-1071%3A+Streams+Rebalance+Protocol";>streams
rebalance protocol</a> is enabled by setting
<code>group.protocol=streams</code>, the following ACLs are required on the
topic and group resources:</p>
+ </div>
+
+ <table border="1" class="docutils">
+ <colgroup>
+ <col width="25%">
+ <col width="15%">
+ <col width="20%">
+ <col width="40%">
+ </colgroup>
+ <thead valign="bottom">
+ <tr class="row-odd"><th class="head">API PROTOCOL</th>
+ <th class="head">OPERATION</th>
+ <th class="head">Resource</th>
+ <th class="head">Notes</th>
+ </tr>
+ </thead>
+ <tbody valign="top">
+ <tr class="row-even">
+ <td>STREAMS_GROUP_HEARTBEAT</td>
+ <td>Read</td>
+ <td>Group</td>
+ <td>Required for the application's streams group</td>
+ </tr>
+ <tr class="row-odd">
+ <td>STREAMS_GROUP_HEARTBEAT</td>
+ <td>Create</td>
+ <td>Cluster <i>or</i> Topic</td>
+ <td>
+ Required only if auto-creating internal topics.<br>
+ • <code>Create</code> on Cluster resource<br>
+ • or <code>Create</code> on all topics in
StateChangelogTopics and RepartitionSourceTopics<br>
+ Not required if internal topics are pre-created
+ </td>
+ </tr>
+ <tr class="row-even">
+ <td>STREAMS_GROUP_HEARTBEAT</td>
+ <td>Describe</td>
+ <td>Topic</td>
+ <td>Required for all topics used in the application's
topology, when first joining.</td>
+ </tr>
+ <tr class="row-odd">
+ <td>STREAMS_GROUP_DESCRIBE</td>
+ <td>Describe</td>
+ <td>Group</td>
+ <td>Required for the application's streams group</td>
+ </tr>
+ <tr class="row-even">
+ <td>STREAMS_GROUP_DESCRIBE</td>
+ <td>Describe</td>
+ <td>Topic</td>
+ <td>Required for all topics used in the group's
topology</td>
+ </tr>
+ </tbody>
+ </table>
+
+ <p>As mentioned earlier, Kafka Streams applications need
appropriate ACLs to create internal topics when running against a secured Kafka
cluster.
+ To avoid providing this permission to your application,
you can create the required internal topics manually.
If the internal topics exist, Kafka Streams will not try
to recreate them.
Note, that the internal repartition and changelog topics
must be created with the correct number of partitions—otherwise, Kafka
Streams will fail on startup.
The topics must be created with the same number of partitions
as your input topic, or if there are multiple topics, the maximum number of
partitions across all input topics.
@@ -89,6 +147,7 @@
and <a class="reference external"
href="https://cwiki.apache.org/confluence/x/QpvLB";>KIP-290</a> for details).
</p>
</div>
+
<div class="section" id="security-example">
<span id="streams-developer-guide-security-example"></span><h2><a
class="toc-backref" href="#id2">Security example</a><a class="headerlink"
href="#security-example" title="Permalink to this headline"></a></h2>
<p>The purpose is to configure a Kafka Streams application to
enable client authentication and encrypt data-in-transit when
