[ 
https://issues.apache.org/jira/browse/KAFKA-13300?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17415352#comment-17415352
 ] 

Manikumar edited comment on KAFKA-13300 at 9/15/21, 7:28 AM:
-------------------------------------------------------------

kafka-acls.sh command {{"-add"}} option is for adding an acl and {{"-remove"}} 
is to remove an existing acl. Consuming from a group without read permission 
should fail unless we configure {{"allow.everyone.if.no.acl.found=true"}}
 [https://kafka.apache.org/documentation/#security_authz]

I am not able to reproduce the issue. Can you attach the \{{ server.properties 
file}} and steps to reproduce the issue.


was (Author: omkreddy):
kafka-acls.sh command {{"--add"}} option is for adding an acl and 
{{"--remove"}} is to remove an existing acl. 
 Consuming from a group without read permission should fail unless we configure 
{{"allow.everyone.if.no.acl.found=true"}}
 https://kafka.apache.org/documentation/#security_authz
 
 I am not able to reproduce the issue. Can you attach the{{ server.properties 
file}} and steps to reproduce the issue.

> Kafka ACL Restriction Group Is not being applied
> ------------------------------------------------
>
>                 Key: KAFKA-13300
>                 URL: https://issues.apache.org/jira/browse/KAFKA-13300
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 2.6.2
>            Reporter: Adriano Jesus
>            Priority: Minor
>
> Hi,
> I am creating a KAFKA ACL with a fake group restriction as above:
>  
> {code:java}
> ./kafka-acls.sh \                                                             
>                                                     
>     --authorizer-properties zookeeper.connect=$ZOOKEEPER \
>     --remove --allow-principal User:'Kafka-tools' \
>     --consumer  --group fake-group \
>     --topic delete-me-2
> {code}
>  
> When I try to consume a message with the same user, 'Kafka-tools', and with 
> another group I am still able to consume the messages:
> {code:java}
> // ./kafka-console-consumer.sh --bootstrap-server=$KAFKA --topic delete-me-2 
> --consumer.config user-auth.properties --from-beginning --group teste
> {code}
> According to documentation this property can be used as consumer group 
> ([https://docs.confluent.io/platform/current/kafka/authorization.html):]
> "*Group*
> Groups in the brokers. All protocol calls that work with groups, such as 
> joining a group, must have corresponding privileges with the group in the 
> subject. Group ({{group.id}}) can mean Consumer Group, Stream Group 
> ({{application.id}}), Connect Worker Group, or any other group that uses the 
> Consumer Group protocol, like Schema Registry cluster."
> I did another test adding a consumer act permission with this command:
> {code:java}
> ./kafka-acls.sh \                                                             
>                                                     
>     --authorizer-properties zookeeper.connect=$ZOOKEEPER \
>     --add --allow-principal User:'Kafka-tools' \
>     --consumer  --group fake-group \
>     --topic delete-me-2
> {code}
> After that I removed the ACL authorization to READ operation for Group 
> resource. I tried again to consume from this topic. And still being able to 
> consume message from this topic even though without READ group permission.
> Maybe my interpretation is wrong. But it seens that Kafka ACL is validating 
> the group permissions.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to