[
https://issues.apache.org/jira/browse/KAFKA-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colin P. McCabe resolved KAFKA-5336.
------------------------------------
Resolution: Duplicate
Fix Version/s: 0.11.0.0
KAFKA-5292 in 0.11 added {{Describe}} as a valid operation on {{Cluster}}
> The required ACL permission for ListGroup is invalid
> ----------------------------------------------------
>
> Key: KAFKA-5336
> URL: https://issues.apache.org/jira/browse/KAFKA-5336
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.10.2.1
> Reporter: Vahid Hashemian
> Assignee: Vahid Hashemian
> Priority: Minor
> Fix For: 0.11.0.0
>
>
> The {{ListGroup}} API authorizes requests with _Describe_ access to the
> cluster resource:
> {code}
> def handleListGroupsRequest(request: RequestChannel.Request) {
> if (!authorize(request.session, Describe, Resource.ClusterResource)) {
> sendResponseMaybeThrottle(request, requestThrottleMs =>
> ListGroupsResponse.fromError(requestThrottleMs,
> Errors.CLUSTER_AUTHORIZATION_FAILED))
> } else {
> ...
> {code}
> However, the list of operations (or permissions) allowed for the cluster
> resource does not include _Describe_:
> {code}
> val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] (
> ...
> Cluster -> Set(Create, ClusterAction, DescribeConfigs, AlterConfigs,
> IdempotentWrite, All),
> ...
> )
> {code}
> Only a user with _All_ cluster permission can successfully call the
> {{ListGroup}} API. No other permission (not even any combination that does
> not include _All_) would let user use this API.
> The bug could be as simple as a typo in the API handler. Though it's not
> obvious what actual permission was meant to be used there (perhaps
> _DescribeConfigs_?)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
