acharbha created KAFKA-15394:
--------------------------------
Summary: Issue with Kafka ACLs: Unexpected Permissions for User
Key: KAFKA-15394
URL: https://issues.apache.org/jira/browse/KAFKA-15394
Project: Kafka
Issue Type: Bug
Components: security
Environment: we are running Kafka on a Kubernetes cluster using helm..
Reporter: acharbha
Hello Community,
I'm facing an unexpected situation while working with Kafka ACLs. Despite
having provided only read access permissions to the user "rbactest22sep," I've
noticed that this user is still able to add ACLs for Kafka topics. Here are the
details:
User: rbactest22sep
Current Permissions: Principal=User:rbactest22sep, Host=*, Operation=READ,
PermissionType=ALLOW
I attempted to add an ACL for topic creation using the following command:
|kafka-acls{*}.{*}sh {*}--{*}bootstrap-server
broker1{*}:{*}{*}9095{*}{*},{*}broker2{*}:{*}{*}9095{*}{*},{*}broker3{*}:{*}{*}9095{*}
{*}--{*}command-config
{*}/{*}bitnami{*}/{*}kafka{*}/{*}config{*}/{*}rbacuser{*}.{*}properties
{*}--{*}add {*}--{*}allow-principal User{*}:{*}rbactest22sep {*}--{*}operation
create {*}--{*}topic '*'
Adding ACLs *for* resource
`ResourcePattern{*}({*}resourceType{*}={*}TOPIC{*},{*} name{*}=*,{*}
patternType{*}={*}LITERAL{*}){*}`{*}:{*}
{*}({*}principal{*}={*}User{*}:{*}rbactest22sep{*},{*} host{*}=*,{*}
operation{*}={*}CREATE{*},{*} permissionType{*}={*}ALLOW{*}){*}|
Where content of /bitnami/kafka/config/rbacuser.properties as below:
|security{*}.{*}protocol{*}={*}SASL_SSL
sasl{*}.{*}mechanism{*}={*}SCRAM-SHA-256
sasl{*}.{*}jaas{*}.{*}config{*}={*}org{*}.{*}apache{*}.{*}kafka{*}.{*}common{*}.{*}security{*}.{*}scram{*}.{*}ScramLoginModule
required username{*}={*}"rbactest22sep" password{*}={*}"mypass"{*};{*}
ssl{*}.{*}truststore{*}.{*}{*}type{*}{*}={*}JKS
ssl{*}.{*}truststore{*}.{*}location{*}=/{*}opt{*}/{*}bitnami{*}/{*}kafka{*}/{*}config{*}/{*}certs{*}/{*}kafka{*}.{*}truststore{*}.{*}jks
# Uncomment this line if your client truststore is password protected
ssl{*}.{*}truststore{*}.{*}password{*}={*}trustpass{*}.{*}com|
The command executed successfully, and the user gained the ability to create
topics.
I'm puzzled by this behavior and would appreciate your insights into why this
might be happening. Could this be related to Kafka configuration, ACL
inheritance, or a misunderstanding of the permissions model?
Also, I'm under the assumption that we need to explicitly give the following
permissions to a user to manage ACLs:
|DESCRIBE_ACLS {*}({*}{*}29{*}{*}){*} Describe Cluster
CREATE_ACLS {*}({*}{*}30{*}{*}){*} Alter Cluster
DELETE_ACLS {*}({*}{*}31{*}{*}){*} Alter Cluster|
Any guidance on how to troubleshoot and resolve this issue, as well as any
clarifications on the necessary permissions for managing ACLs, would be greatly
appreciated.
Thank you for your help!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
