Re: [PR] KAFKA-18766:Docs: Make usage of allow.everyone.if.no.acl.found config clearer [kafka]

Wed, 05 Mar 2025 01:47:11 -0800 


AndrewJSchofield commented on code in PR #19077:
URL: https://github.com/apache/kafka/pull/19077#discussion_r1981043279


##########
docs/security.html:
##########
@@ -1248,11 +1248,15 @@ <h3 class="anchor-heading"><a id="security_authz" 
class="anchor-link"></a><a hre
     Kafka ACLs are defined in the general format of "Principal {P} is 
[Allowed|Denied] Operation {O} From Host {H} on any Resource {R} matching 
ResourcePattern {RP}".
     You can read more about the ACL structure in <a 
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface";>KIP-11</a>
 and
     resource patterns in <a 
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-290%3A+Support+for+Prefixed+ACLs";>KIP-290</a>.
-    In order to add, remove, or list ACLs, you can use the Kafka ACL CLI 
<code>kafka-acls.sh</code>. By default, if no ResourcePatterns match a specific 
Resource R,
-    then R has no associated ACLs, and therefore no one other than super users 
is allowed to access R.
-    If you want to change that behavior, you can include the following in 
server.properties.
+    In order to add, remove, or list ACLs, you can use the Kafka ACL CLI 
<code>kafka-acls.sh</code>. 
+    <h5>Default Behavior Without ACLs:</h5>
+    <p>If a resource (R) does not have any ACLs defined—that is, if no ACL 
matches the resource—Kafka will restrict access to that resource. In this 
situation, only super users are allowed to access it.
+    </p>
+    <h5>Changing the Default Behavior:</h5>
+    <p>If you prefer that resources without any ACLs be accessible by all 
users (instead of just super users), you can change the default behavior. To do 
this, add the following line to your server.properties file:</p>
     <pre><code 
class="language-text">allow.everyone.if.no.acl.found=true</code></pre>
-    One can also add super users in server.properties like the following (note 
that the delimiter is semicolon since SSL user names may contain comma). 
Default PrincipalType string "User" is case sensitive.
+    With this setting enabled, if a resource does not have any ACLs defined, 
Kafka will allow access to everyone. If a resource has one or more ACLs 
defined, those ACL rules will be enforced as usual, regardless of the setting.

Review Comment:
   nit: The use of `<p>` and `</p>` around the preformatted blocks is not 
entirely consistent.



##########
docs/security.html:
##########
@@ -1248,11 +1248,15 @@ <h3 class="anchor-heading"><a id="security_authz" 
class="anchor-link"></a><a hre
     Kafka ACLs are defined in the general format of "Principal {P} is 
[Allowed|Denied] Operation {O} From Host {H} on any Resource {R} matching 
ResourcePattern {RP}".
     You can read more about the ACL structure in <a 
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface";>KIP-11</a>
 and
     resource patterns in <a 
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-290%3A+Support+for+Prefixed+ACLs";>KIP-290</a>.
-    In order to add, remove, or list ACLs, you can use the Kafka ACL CLI 
<code>kafka-acls.sh</code>. By default, if no ResourcePatterns match a specific 
Resource R,
-    then R has no associated ACLs, and therefore no one other than super users 
is allowed to access R.
-    If you want to change that behavior, you can include the following in 
server.properties.
+    In order to add, remove, or list ACLs, you can use the Kafka ACL CLI 
<code>kafka-acls.sh</code>. 
+    <h5>Default Behavior Without ACLs:</h5>
+    <p>If a resource (R) does not have any ACLs defined—that is, if no ACL 
matches the resource—Kafka will restrict access to that resource. In this 
situation, only super users are allowed to access it.

Review Comment:
   nit: `defined-that` and `resource-Kafka` look like hyphenated words. You 
perhaps want `&mdash;` instead of `-`, so `resource &mdash; Kafka`. Personally, 
I would rewrite like this:
   
   `If a resource (R) does not have any ACLs defined, meaning that no ACL 
matches the resource, Kafka will restrict`...



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to