Vahid Hashemian created KAFKA-5638: -------------------------------------- Summary: Inconsistency in consumer group related ACLs Key: KAFKA-5638 URL: https://issues.apache.org/jira/browse/KAFKA-5638 Project: Kafka Issue Type: Bug Components: security Affects Versions: 0.11.0.0 Reporter: Vahid Hashemian Assignee: Vahid Hashemian Priority: Minor
Users can see all groups in the cluster (using consumer group’s {{--list}} option) provided that they have {{Describe}} access to the cluster. It would make more sense to modify that experience and limit what is listed in the output to only those groups they have {{Describe}} access to. The reason is, almost everything else is accessible by a user only if the access is specifically granted (through ACL {{--add}}); and this scenario should not be an exception. The potential change would be updating the minimum required permission of {{ListGroup}} from {{Describe (Cluster)}} to {{Describe (Group)}}. We can also look at this issue from a different angle: A user with {{Read}} access to a group can describe the group, but the same user would not see anything when listing groups (assuming there is no {{Describe}} access to the cluster). It makes more sense for this user to be able to list all groups s/he can already describe. It would be great to know if any user is relying on the existing behavior (listing all consumer groups using a {{Describe (Cluster)}} ACL. -- This message was sent by Atlassian JIRA (v6.4.14#64029)