Hello Folks, I'm encountering a challenge with Kafka ACLs related to "Alter Cluster" privileges. Currently, granting "Alter Cluster" allows users to manage their ACLs, as it inherits CREATE_ACLS and DELETE_ACLS. However, users can also add ClusterAction and AlterConfigs permissions on the "Cluster" resource, which we want to restrict because it could enable them to modify broker configurations. I'm exploring two potential solutions and would appreciate guidance:
1. PolicyViolationException: Is it possible to leverage PolicyViolationException to block users from adding ClusterAction or AlterConfigs on the "Cluster" resource? 2. Custom Authorizer: Alternatively, can we modify the Kafka source code to implement a custom authorizer? For instance, tweaking the StandardAuthorizer<https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizer.java> to explicitly reject these operations. Below is an example of how this might look: import org.apache.kafka.common.acl.AclOperation; @Override public List<AuthorizationResult> authorize( AuthorizableRequestContext requestContext, List<Action> actions) { List<AuthorizationResult> results = new ArrayList<>(actions.size()); StandardAuthorizerData curData = data; for (Action action : actions) { // Reject AlterConfigs and ClusterAction explicitly if (action.operation() == AclOperation.ALTER_CONFIGS || action.operation() == AclOperation.CLUSTER_ACTION) { results.add(AuthorizationResult.DENIED); } else { // Default authorization logic AuthorizationResult result = curData.authorize(requestContext, action); results.add(result); } } return results; } Both solutions are theoretical at this point, and I haven't implemented them yet. Could someone provide insights into the feasibility of these approaches or suggest a better alternative? Thanks in advance! Bharath
