Vahid Hashemian created KAFKA-5638:
--------------------------------------
Summary: Inconsistency in consumer group related ACLs
Key: KAFKA-5638
URL: https://issues.apache.org/jira/browse/KAFKA-5638
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 0.11.0.0
Reporter: Vahid Hashemian
Assignee: Vahid Hashemian
Priority: Minor
Users can see all groups in the cluster (using consumer group’s {{--list}}
option) provided that they have {{Describe}} access to the cluster. It would
make more sense to modify that experience and limit what is listed in the
output to only those groups they have {{Describe}} access to. The reason is,
almost everything else is accessible by a user only if the access is
specifically granted (through ACL {{--add}}); and this scenario should not be
an exception. The potential change would be updating the minimum required
permission of {{ListGroup}} from {{Describe (Cluster)}} to {{Describe (Group)}}.
We can also look at this issue from a different angle: A user with {{Read}}
access to a group can describe the group, but the same user would not see
anything when listing groups (assuming there is no {{Describe}} access to the
cluster). It makes more sense for this user to be able to list all groups s/he
can already describe.
It would be great to know if any user is relying on the existing behavior
(listing all consumer groups using a {{Describe (Cluster)}} ACL.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
