Versions Compared

Old Version 13

changes.mady.by.user Vahid Hashemian

Saved on

compared with

New Version 14

changes.mady.by.user Vahid Hashemian

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

As I was experimenting with the ACLs for this KIP I made some observations that made me wonder about the rationale behind their current ACL settings; and whether they need adjustments too: 

  • Users can see all groups in the cluster (using consumer group’s --list option) provided that they have Describe access to the cluster. Would it make sense to modify that experience and limit what is listed in the output to only those groups they have Describe access to? The reason is, almost anything else is accessible by a user only if the access is specifically granted (through ACL --add); and this scenario should not be an exception. The potential change would be updating the minimum required permission of ListGroup from Describe (Cluster) to Describe (Group), which means the implementation of KafkaApis.handleListGroupsRequest would change from

    Code Block
    languagescala
    def handleListGroupsRequest(request: RequestChannel.Request) {
  if (!authorize(request.session, Describe, Resource.ClusterResource)) {
    sendResponseMaybeThrottle(request, requestThrottleMs =>
      ListGroupsResponse.fromError(requestThrottleMs, Errors.CLUSTER_AUTHORIZATION_FAILED))
  } else {
    val (error, groups) = groupCoordinator.handleListGroups()
    val allGroups = groups.map { group => new ListGroupsResponse.Group(group.groupId, group.protocolType) }
    sendResponseMaybeThrottle(request, requestThrottleMs =>
      new ListGroupsResponse(requestThrottleMs, error, allGroups.asJava))
  }
}

    to something like this:

    Code Block
    languagescala
    def handleListGroupsRequest(request: RequestChannel.Request) {
  val (error, groups) = groupCoordinator.handleListGroups()
  val allGroups = groups.filter { group => authorize(request.session, Describe, new Resource(Group, group.groupId)) }
                        .map { group => new ListGroupsResponse.Group(group.groupId, group.protocolType) }
  sendResponseMaybeThrottle(request, requestThrottleMs =>
    new ListGroupsResponse(requestThrottleMs, error, allGroups.asJava))
}

    We can also look at this issue from a different angle: A user with Read access to a group can describe the group, but the same user would not see anything when listing groups

    unless s/he has

    (not without a Describe access to the cluster). It makes more sense for this user to be able to list all groups s/he can already describe.

 

Compatibility, Deprecation, and Migration Plan

...