The Kafka Connect documentation don't seem to specify what Kafka permissions are required for the Connect workers, leaving users to figure out the required permissions when provisioning Connect in secured clusters.
There is a table in the Connect User Guide for enabling Exactly-Once Support [1] that lists required permissions and the reasons they're needed (but only for the additional ACLs needed to enable EOS). I propose adding a similar section for Kafka Connect in general, documenting the minimum ACLs required by the Connect worker (e.g. for internal topics, group membership, etc.), adopting the same format to explain why each permission is needed. This would help users create appropriate credentials for Connect without having to infer permissions from error messages. Would this be a welcome docs improvement? If there are no objections, I’m happy to open a Jira issue for this and draft a proposal. D -- dalelane.co.uk [1] - https://kafka.apache.org/42/kafka-connect/user-guide/#acl-requirements
