[
https://issues.apache.org/jira/browse/KAFKA-13300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17415352#comment-17415352
]
Manikumar edited comment on KAFKA-13300 at 9/15/21, 7:28 AM:
-------------------------------------------------------------
kafka-acls.sh command {{"-add"}} option is for adding an acl and {{"-remove"}}
is to remove an existing acl. Consuming from a group without read permission
should fail unless we configure {{"allow.everyone.if.no.acl.found=true"}}
[https://kafka.apache.org/documentation/#security_authz]
I am not able to reproduce the issue. Can you attach the \{{ server.properties
file}} and steps to reproduce the issue.
was (Author: omkreddy):
kafka-acls.sh command {{"--add"}} option is for adding an acl and
{{"--remove"}} is to remove an existing acl.
Consuming from a group without read permission should fail unless we configure
{{"allow.everyone.if.no.acl.found=true"}}
https://kafka.apache.org/documentation/#security_authz
I am not able to reproduce the issue. Can you attach the{{ server.properties
file}} and steps to reproduce the issue.
> Kafka ACL Restriction Group Is not being applied
> ------------------------------------------------
>
> Key: KAFKA-13300
> URL: https://issues.apache.org/jira/browse/KAFKA-13300
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.6.2
> Reporter: Adriano Jesus
> Priority: Minor
>
> Hi,
> I am creating a KAFKA ACL with a fake group restriction as above:
>
> {code:java}
> ./kafka-acls.sh \
>
> --authorizer-properties zookeeper.connect=$ZOOKEEPER \
> --remove --allow-principal User:'Kafka-tools' \
> --consumer --group fake-group \
> --topic delete-me-2
> {code}
>
> When I try to consume a message with the same user, 'Kafka-tools', and with
> another group I am still able to consume the messages:
> {code:java}
> // ./kafka-console-consumer.sh --bootstrap-server=$KAFKA --topic delete-me-2
> --consumer.config user-auth.properties --from-beginning --group teste
> {code}
> According to documentation this property can be used as consumer group
> ([https://docs.confluent.io/platform/current/kafka/authorization.html):]
> "*Group*
> Groups in the brokers. All protocol calls that work with groups, such as
> joining a group, must have corresponding privileges with the group in the
> subject. Group ({{group.id}}) can mean Consumer Group, Stream Group
> ({{application.id}}), Connect Worker Group, or any other group that uses the
> Consumer Group protocol, like Schema Registry cluster."
> I did another test adding a consumer act permission with this command:
> {code:java}
> ./kafka-acls.sh \
>
> --authorizer-properties zookeeper.connect=$ZOOKEEPER \
> --add --allow-principal User:'Kafka-tools' \
> --consumer --group fake-group \
> --topic delete-me-2
> {code}
> After that I removed the ACL authorization to READ operation for Group
> resource. I tried again to consume from this topic. And still being able to
> consume message from this topic even though without READ group permission.
> Maybe my interpretation is wrong. But it seens that Kafka ACL is validating
> the group permissions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
