Hari Sekhon created RANGER-2488:
-----------------------------------
Summary: Ranger Kafka list consumer groups permission
Key: RANGER-2488
URL: https://issues.apache.org/jira/browse/RANGER-2488
Project: Ranger
Issue Type: Bug
Components: plugins, Ranger
Affects Versions: 0.7.0
Environment: HDP 2.6.5 + Kerberos
Reporter: Hari Sekhon
In a kerberized environment, Kafka client is unable to list consumer groups to
iterate over if the user only have describe permission on their own topics
rather than on all topics.
{code:java}
/usr/hdp/current/kafka-broker/bin/kafka-consumer-groups.sh --list
--bootstrap-server <fqdn>{code}
It ends up with a blank output instead of the list of consumer groups.
If you then grant Describe permission to all topics, that command then gives
you a list of consumer groups as expected.
I believe Kafka permissions have been improved to be more granular in
KAFKA-6058.
Ranger needs to be updated to reflect these more granular Kafka permissions.
Interestingly after revoking all permissions to topics from my user I was still
able to list the offsets for a known consumer group.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
