[ https://issues.apache.org/jira/browse/KAFKA-5638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vahid Hashemian updated KAFKA-5638: ----------------------------------- Labels: kip (was: needs-kip) > Inconsistency in consumer group related ACLs > -------------------------------------------- > > Key: KAFKA-5638 > URL: https://issues.apache.org/jira/browse/KAFKA-5638 > Project: Kafka > Issue Type: Bug > Components: security > Affects Versions: 0.11.0.0 > Reporter: Vahid Hashemian > Assignee: Vahid Hashemian > Priority: Minor > Labels: kip > > Users can see all groups in the cluster (using consumer group’s {{--list}} > option) provided that they have {{Describe}} access to the cluster. It would > make more sense to modify that experience and limit what is listed in the > output to only those groups they have {{Describe}} access to. The reason is, > almost everything else is accessible by a user only if the access is > specifically granted (through ACL {{--add}}); and this scenario should not be > an exception. The potential change would be updating the minimum required > permission of {{ListGroup}} from {{Describe (Cluster)}} to {{Describe > (Group)}}. > We can also look at this issue from a different angle: A user with {{Read}} > access to a group can describe the group, but the same user would not see > anything when listing groups (assuming there is no {{Describe}} access to the > cluster). It makes more sense for this user to be able to list all groups > s/he can already describe. > It would be great to know if any user is relying on the existing behavior > (listing all consumer groups using a {{Describe (Cluster)}} ACL). -- This message was sent by Atlassian JIRA (v6.4.14#64029)