[ https://issues.apache.org/jira/browse/KAFKA-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ismael Juma reopened KAFKA-5336: -------------------------------- > ListGroup requires Describe on Cluster, but the command-line AclCommand tool > does not allow this to be set > ---------------------------------------------------------------------------------------------------------- > > Key: KAFKA-5336 > URL: https://issues.apache.org/jira/browse/KAFKA-5336 > Project: Kafka > Issue Type: Bug > Components: security > Affects Versions: 0.10.2.1 > Reporter: Vahid Hashemian > Assignee: Vahid Hashemian > Priority: Minor > > The {{ListGroup}} API authorizes requests with _Describe_ access to the > cluster resource: > {code} > def handleListGroupsRequest(request: RequestChannel.Request) { > if (!authorize(request.session, Describe, Resource.ClusterResource)) { > sendResponseMaybeThrottle(request, requestThrottleMs => > ListGroupsResponse.fromError(requestThrottleMs, > Errors.CLUSTER_AUTHORIZATION_FAILED)) > } else { > ... > {code} > However, the list of operations (or permissions) allowed for the cluster > resource does not include _Describe_: > {code} > val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] ( > ... > Cluster -> Set(Create, ClusterAction, DescribeConfigs, AlterConfigs, > IdempotentWrite, All), > ... > ) > {code} > Only a user with _All_ cluster permission can successfully call the > {{ListGroup}} API. No other permission (not even any combination that does > not include _All_) would let user use this API. > The bug could be as simple as a typo in the API handler. Though it's not > obvious what actual permission was meant to be used there (perhaps > _DescribeConfigs_?) -- This message was sent by Atlassian JIRA (v6.4.14#64029)