Andrew Schofield created KAFKA-20144:
----------------------------------------
Summary: Authority for LIST_CONFIG_RESOURCES should be dependent
upon resource type
Key: KAFKA-20144
URL: https://issues.apache.org/jira/browse/KAFKA-20144
Project: Kafka
Issue Type: Improvement
Affects Versions: 4.1.0, 4.2.0
Reporter: Andrew Schofield
Assignee: Chia-Ping Tsai
KIP-1142 introduced the LIST_CONFIG_RESOURCES RPC as a way of listing Kafka
resources for which configuration properties can be described. It built upon
KIP-1000 which was specifically concerned with client-metrics resources.
Unfortunately, this RPC requires DESCRIBE_CONFIGS permission on the cluster
resource for all resource types. This has the side-effect that you need
different permission to list groups (DESCRIBE on CLUSTER) than to list which
groups have configs (DESCRIBE_CONFIGS on CLUSTER). This is an unintentional
anomaly which leads to incomplete results for the kafka-configs.sh tool for
users who only have DESCRIBE authority.
We need a KIP to examine the permissions required for each of the resource
types and ensure that there are no such anomalies. Requiring DESCRIBE_CONFIGS
on the CLUSTER to list client-metrics resources is fine, but it should probably
be DESCRIBE on the CLUSTER to list the groups with configs (and then
DESCRIBE_CONFIGS on the individual groups to describe the actual configs).
Similarly, we should make sure that the behavior for topics and so on is
sensible.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
