[ https://issues.apache.org/jira/browse/KAFKA-13300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17415352#comment-17415352 ]
Manikumar commented on KAFKA-13300: ----------------------------------- kafka-acls.sh command {{"--add"}} option is for adding an acl and {{"--remove"}} is to remove an existing acl. Consuming from a group without read permission should fail unless we configure {{"allow.everyone.if.no.acl.found=true"}} https://kafka.apache.org/documentation/#security_authz I am not able to reproduce the issue. Can you attach the{{ server.properties file}} and steps to reproduce the issue. > Kafka ACL Restriction Group Is not being applied > ------------------------------------------------ > > Key: KAFKA-13300 > URL: https://issues.apache.org/jira/browse/KAFKA-13300 > Project: Kafka > Issue Type: Bug > Affects Versions: 2.6.2 > Reporter: Adriano Jesus > Priority: Minor > > Hi, > I am creating a KAFKA ACL with a fake group restriction as above: > > {code:java} > ./kafka-acls.sh \ > > --authorizer-properties zookeeper.connect=$ZOOKEEPER \ > --remove --allow-principal User:'Kafka-tools' \ > --consumer --group fake-group \ > --topic delete-me-2 > {code} > > When I try to consume a message with the same user, 'Kafka-tools', and with > another group I am still able to consume the messages: > {code:java} > // ./kafka-console-consumer.sh --bootstrap-server=$KAFKA --topic delete-me-2 > --consumer.config user-auth.properties --from-beginning --group teste > {code} > According to documentation this property can be used as consumer group > ([https://docs.confluent.io/platform/current/kafka/authorization.html):] > "*Group* > Groups in the brokers. All protocol calls that work with groups, such as > joining a group, must have corresponding privileges with the group in the > subject. Group ({{group.id}}) can mean Consumer Group, Stream Group > ({{application.id}}), Connect Worker Group, or any other group that uses the > Consumer Group protocol, like Schema Registry cluster." > I did another test adding a consumer act permission with this command: > {code:java} > ./kafka-acls.sh \ > > --authorizer-properties zookeeper.connect=$ZOOKEEPER \ > --add --allow-principal User:'Kafka-tools' \ > --consumer --group fake-group \ > --topic delete-me-2 > {code} > After that I removed the ACL authorization to READ operation for Group > resource. I tried again to consume from this topic. And still being able to > consume message from this topic even though without READ group permission. > Maybe my interpretation is wrong. But it seens that Kafka ACL is validating > the group permissions. -- This message was sent by Atlassian Jira (v8.3.4#803005)