+users mailing list David,
I don't think I really understand your email. Are you saying that this can already be achieved only using the READ ACL? Thanks Adam On Wed, Aug 21, 2019 at 3:58 AM David Jacot <dja...@confluent.io> wrote: > Hello, > > It would be better to ask such question on the user mailing list. > > The reason is that the group is created automatically when a consumer > joins it. It is not created explicitly so it can be restricted. > > In your case, you could setup a ACL to authorize the application to only > use the group you have defined. It would prevent the application from > creating new groups. (READ Acl on Group resource with a specific name). > > Best, > David > > On Mon, Aug 19, 2019 at 9:01 PM Adam Bellemare <adam.bellem...@gmail.com> > wrote: > > > Hi All > > > > I am looking through the Confluent docs and core Kafka docs and don't see > > an ACL for group creation: > > https://docs.confluent.io/current/kafka/authorization.html#acl-format > > and > > https://kafka.apache.org/documentation/#security_authz > > > > My scenario is simple: We use the consumer group as the means of > > identifying a single application, including tooling for managing > > application resets, offset management, lag monitoring, etc. We often have > > situations where someone resets their consumer group by appending an > > incremented integer ("cg" to "cg1"), but it throws the rest of the > > monitoring and management tooling out of whack. > > > > Is there a reason why we do not have ACL-based CREATE restrictions to a > > particular consumer group? I am willing to do the work to implement this > > and test it out, but I wanted to validate that there isn't a reason I am > > missing. > > > > Thanks > > Adam > > >