Adriano Jesus created KAFKA-13300:
-------------------------------------
Summary: Kafka ACL Restriction Group Is not being applied
Key: KAFKA-13300
URL: https://issues.apache.org/jira/browse/KAFKA-13300
Project: Kafka
Issue Type: Bug
Affects Versions: 2.6.2
Reporter: Adriano Jesus
Hi,
I am creating a KAFKA ACL with a fake group restriction as above:
{code:java}
./kafka-acls.sh \
--authorizer-properties zookeeper.connect=$ZOOKEEPER \
--remove --allow-principal User:'Kafka-tools' \
--consumer --group fake-group \
--topic delete-me-2
{code}
When I try to consume a message with the same user, 'Kafka-tools', and with
another group I am still able to consume the messages:
{code:java}
// ./kafka-console-consumer.sh --bootstrap-server=$KAFKA --topic delete-me-2
--consumer.config user-auth.properties --from-beginning --group teste
{code}
According to documentation this property can be used as consumer group
([https://docs.confluent.io/platform/current/kafka/authorization.html):]
"*Group*
Groups in the brokers. All protocol calls that work with groups, such as
joining a group, must have corresponding privileges with the group in the
subject. Group ({{group.id}}) can mean Consumer Group, Stream Group
({{application.id}}), Connect Worker Group, or any other group that uses the
Consumer Group protocol, like Schema Registry cluster."
I did another test adding a consumer act permission with this command:
{code:java}
./kafka-acls.sh \
--authorizer-properties zookeeper.connect=$ZOOKEEPER \
--add --allow-principal User:'Kafka-tools' \
--consumer --group fake-group \
--topic delete-me-2
{code}
After that I removed the ACL authorization to READ operation for Group
resource. I tried again to consume from this topic. And still being able to
consume message from this topic even though without READ group permission.
Maybe my interpretation is wrong. But it seens that Kafka ACL is validating the
group permissions.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
