Vahid Hashemian created KAFKA-5336:
--------------------------------------
Summary: The required ACL permission for ListGroup is invalid
Key: KAFKA-5336
URL: https://issues.apache.org/jira/browse/KAFKA-5336
Project: Kafka
Issue Type: Bug
Components: security
Affects Versions: 0.10.2.1
Reporter: Vahid Hashemian
Assignee: Vahid Hashemian
Priority: Minor
The {{ListGroup}} API authorizes requests with _Describe_ access to the cluster
resource:
{code}
def handleListGroupsRequest(request: RequestChannel.Request) {
if (!authorize(request.session, Describe, Resource.ClusterResource)) {
sendResponseMaybeThrottle(request, requestThrottleMs =>
ListGroupsResponse.fromError(requestThrottleMs,
Errors.CLUSTER_AUTHORIZATION_FAILED))
} else {
...
{code}
However, the list of operations (or permissions) allowed for the cluster
resource does not include _Describe_:
{code}
val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] (
...
Cluster -> Set(Create, ClusterAction, DescribeConfigs, AlterConfigs,
IdempotentWrite, All),
...
)
{code}
Only a user with _All_ cluster permission can successfully call the
{{ListGroup}} API. No other permission (not even any combination that does not
include _All_) would let user use this API.
The bug could be as simple as a typo in the API handler. Though it's not
obvious what actual permission was meant to be used there (perhaps
_DescribeConfigs_?)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
