I have been playing around with ACLs and was hoping to limit access to a topic and consumer group by IP, but was unable to get it working. Basically, I was able to Read from a topic as a consumer group that was not allowed.
KIP-11 has the following line about consumer groups: In order to consume from a topic using the new consumer API, the principal will need: READ on TOPIC and READ on CONSUMER-GROUP. This tipped me off that the ACL may only work with the new consumer API, which I was not using. Sure enough, using the new consumer API denied my access by consumer group until I added an appropriate ACL. Is there some way to disable the old consumer API in Kafka? I see the inter.broker.protocol.version directive, but nothing about clients. Will there ever be support for group ACLs with the old consumer API? Without some way to disable the old consumer from being used, the consumer group ACLs are effectively useless as of version 0.9.0.1.
