Re: [PR] KAFKA-19155: Update security guide with ACLs for stream RPCs [kafka]

via GitHub Tue, 03 Jun 2025 01:48:01 -0700


lucasbru commented on code in PR #19799:
URL: https://github.com/apache/kafka/pull/19799#discussion_r2123158533



##########
docs/streams/developer-guide/security.html:
##########
@@ -137,7 +138,49 @@
 [...snip...]
 Caused by: java.security.UnrecoverableKeyException: Password verification 
failed</code></pre>
             <p>Monitor your Kafka Streams application log files for such error 
messages to spot any misconfigured applications quickly.</p>
-</div>
+        </div>
+        <div class="section" id="streams-rpc-acls">
+            <span 
id="streams-developer-guide-security-rpc-acls"></span><h2>Required ACLs for 
Streams RPCs<a class="headerlink" href="#streams-rpc-acls" title="Permalink to 
this headline"></a></h2>
+            <p>Kafka Streams uses several RPCs (Remote Procedure Calls) for 
its internal coordination and state management. The following ACLs are required 
for these RPCs to function properly:</p>
+
+            <h3>Streams Group Protocol RPCs</h3>
+            <p>For the Streams group protocol (introduced in <a 
class="reference external" 
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-1071%3A+Streams+Rebalance+Protocol";>KIP-1071</a>),
 the following ACLs are required:</p>
+            <pre><code class="language-bash"># Allow Streams clients to send 
heartbeats to the group coordinator
+kafka-acls --bootstrap-server &lt;bootstrap_servers&gt; \

Review Comment:
   What's kafka_internal_streams_group_coordinator_topic here?



##########
docs/streams/developer-guide/security.html:
##########
@@ -137,7 +138,49 @@
 [...snip...]
 Caused by: java.security.UnrecoverableKeyException: Password verification 
failed</code></pre>
             <p>Monitor your Kafka Streams application log files for such error 
messages to spot any misconfigured applications quickly.</p>
-</div>
+        </div>
+        <div class="section" id="streams-rpc-acls">
+            <span 
id="streams-developer-guide-security-rpc-acls"></span><h2>Required ACLs for 
Streams RPCs<a class="headerlink" href="#streams-rpc-acls" title="Permalink to 
this headline"></a></h2>

Review Comment:
   Probably should mention streams rebalance protocol in the header.



##########
docs/streams/developer-guide/security.html:
##########
@@ -137,7 +138,49 @@
 [...snip...]
 Caused by: java.security.UnrecoverableKeyException: Password verification 
failed</code></pre>
             <p>Monitor your Kafka Streams application log files for such error 
messages to spot any misconfigured applications quickly.</p>
-</div>
+        </div>
+        <div class="section" id="streams-rpc-acls">
+            <span 
id="streams-developer-guide-security-rpc-acls"></span><h2>Required ACLs for 
Streams RPCs<a class="headerlink" href="#streams-rpc-acls" title="Permalink to 
this headline"></a></h2>
+            <p>Kafka Streams uses several RPCs (Remote Procedure Calls) for 
its internal coordination and state management. The following ACLs are required 
for these RPCs to function properly:</p>
+
+            <h3>Streams Group Protocol RPCs</h3>
+            <p>For the Streams group protocol (introduced in <a 
class="reference external" 
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-1071%3A+Streams+Rebalance+Protocol";>KIP-1071</a>),
 the following ACLs are required:</p>
+            <pre><code class="language-bash"># Allow Streams clients to send 
heartbeats to the group coordinator
+kafka-acls --bootstrap-server &lt;bootstrap_servers&gt; \
+    --add --allow-principal User:&lt;streams_app_principal&gt; \
+    --operation WRITE \
+    --topic &lt;kafka_internal_streams_group_coordinator_topic&gt; \
+    --resource-pattern-type PREFIXED
+
+# Allow Streams clients to read from the group metadata topic
+kafka-acls --bootstrap-server &lt;bootstrap_servers&gt; \
+    --add --allow-principal User:&lt;streams_app_principal&gt; \
+    --operation READ \
+    --topic &lt;kafka_internal_streams_group_metadata_topic&gt; \
+    --resource-pattern-type PREFIXED
+
+# Allow Streams clients to describe groups
+kafka-acls --bootstrap-server &lt;bootstrap_servers&gt; \
+    --add --allow-principal User:&lt;streams_app_principal&gt; \
+    --operation DESCRIBE \
+    --group &lt;application.id&gt; \
+    --resource-pattern-type PREFIXED</code></pre>
+
+            <p>Replace <code>&lt;bootstrap_servers&gt;</code> with your Kafka 
brokers, <code>&lt;streams_app_principal&gt;</code> with the principal of your 
Streams application, and <code>&lt;application.id&gt;</code> with your Streams 
application ID.</p>
+
+            <h3>Interactive Queries RPCs</h3>

Review Comment:
   I'm not sure this section is correct. Could you explain in more detail what 
you mean nby rest_api_principle? Would the rest api evne directly interact with 
kafka?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] KAFKA-19155: Update security guide with ACLs for stream RPCs [kafka]

Reply via email to