[
https://issues.apache.org/jira/browse/KAFKA-5336?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colin P. McCabe updated KAFKA-5336:
-----------------------------------
Summary: ListGroup requires Describe on Cluster, but the command-line
AclCommand tool does not allow this to be set (was: The required ACL
permission for ListGroup is invalid)
> ListGroup requires Describe on Cluster, but the command-line AclCommand tool
> does not allow this to be set
> ----------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-5336
> URL: https://issues.apache.org/jira/browse/KAFKA-5336
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 0.10.2.1
> Reporter: Vahid Hashemian
> Assignee: Vahid Hashemian
> Priority: Minor
> Fix For: 0.11.0.0
>
>
> The {{ListGroup}} API authorizes requests with _Describe_ access to the
> cluster resource:
> {code}
> def handleListGroupsRequest(request: RequestChannel.Request) {
> if (!authorize(request.session, Describe, Resource.ClusterResource)) {
> sendResponseMaybeThrottle(request, requestThrottleMs =>
> ListGroupsResponse.fromError(requestThrottleMs,
> Errors.CLUSTER_AUTHORIZATION_FAILED))
> } else {
> ...
> {code}
> However, the list of operations (or permissions) allowed for the cluster
> resource does not include _Describe_:
> {code}
> val ResourceTypeToValidOperations = Map[ResourceType, Set[Operation]] (
> ...
> Cluster -> Set(Create, ClusterAction, DescribeConfigs, AlterConfigs,
> IdempotentWrite, All),
> ...
> )
> {code}
> Only a user with _All_ cluster permission can successfully call the
> {{ListGroup}} API. No other permission (not even any combination that does
> not include _All_) would let user use this API.
> The bug could be as simple as a typo in the API handler. Though it's not
> obvious what actual permission was meant to be used there (perhaps
> _DescribeConfigs_?)
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
