[
https://issues.apache.org/jira/browse/KAFKA-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16113333#comment-16113333
]
Vahid Hashemian edited comment on KAFKA-5638 at 8/3/17 7:50 PM:
----------------------------------------------------------------
The current usage is probably not incorrect, because the implication you
mentioned makes sense. However, it is inconsistent. I also don't know of any
other inferred permission like this one. That's the reason I raised the issue.
Unless there is a big push back, I would like to take the KIP approach and fix
this inconsistency by dropping the {{Describe(Cluster)}} check from the API and
introducing a {{Describe(Group)}} permission requirement. If there is push
back, we can do the latter only and implement what you suggested above. If you
are okay with this approach I'll start drafting the KIP.
was (Author: vahid):
The current usage is probably not incorrect, because the implication you
mentioned makes sense. However, it is inconsistent. I also don't know of any
other inferred permission like this one. That's the reason I raised the issue.
Unless there is a big push back, I would like to take the KIP approach and fix
this inconsistency by dropping the {{Describe(Cluster)}} check from the API and
introducing a {{Describe(Group)}} group requirement. If there is push back, we
can do the latter only and implement what you suggested above. If you are okay
with this approach I'll start drafting the KIP.
> Inconsistency in consumer group related ACLs
> --------------------------------------------
>
> Key: KAFKA-5638
> URL: https://issues.apache.org/jira/browse/KAFKA-5638
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.11.0.0
> Reporter: Vahid Hashemian
> Assignee: Vahid Hashemian
> Priority: Minor
> Labels: needs-kip
>
> Users can see all groups in the cluster (using consumer group’s {{--list}}
> option) provided that they have {{Describe}} access to the cluster. It would
> make more sense to modify that experience and limit what is listed in the
> output to only those groups they have {{Describe}} access to. The reason is,
> almost everything else is accessible by a user only if the access is
> specifically granted (through ACL {{--add}}); and this scenario should not be
> an exception. The potential change would be updating the minimum required
> permission of {{ListGroup}} from {{Describe (Cluster)}} to {{Describe
> (Group)}}.
> We can also look at this issue from a different angle: A user with {{Read}}
> access to a group can describe the group, but the same user would not see
> anything when listing groups (assuming there is no {{Describe}} access to the
> cluster). It makes more sense for this user to be able to list all groups
> s/he can already describe.
> It would be great to know if any user is relying on the existing behavior
> (listing all consumer groups using a {{Describe (Cluster)}} ACL).
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
