lucasbru commented on code in PR #20084:
URL: https://github.com/apache/kafka/pull/20084#discussion_r2190511770
##########
docs/streams/developer-guide/security.html:
##########
@@ -70,6 +70,58 @@
the ACL set so that the application has the permissions to
create, read and write
<a class="reference internal"
href="manage-topics.html#streams-developer-guide-topics-internal"><span
class="std std-ref">internal topics</span></a>.</p>
+ <div class="admonition note">
+ <p class="first admonition-title">Note</p>
+ <p class="last">Starting with <a class="reference external"
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-1071%3A+Streams+Rebalance+Protocol";>KIP-1071</a>,
additional ACLs are required for the new Streams rebalance protocol:</p>
+ </div>
+
+ <table border="1" class="docutils">
+ <colgroup>
+ <col width="25%">
+ <col width="15%">
+ <col width="20%">
+ <col width="40%">
+ </colgroup>
+ <thead valign="bottom">
+ <tr class="row-odd"><th class="head">Operation (API)</th>
+ <th class="head">Permission</th>
+ <th class="head">Resource</th>
+ <th class="head">Notes</th>
+ </tr>
+ </thead>
+ <tbody valign="top">
+ <tr class="row-even">
+ <td>STREAMS_GROUP_HEARTBEAT</td>
+ <td>Read</td>
+ <td>Group</td>
+ <td>Required for the application's consumer group
(<code>${application.id}</code>)</td>
+ </tr>
+ <tr class="row-odd">
+ <td>STREAMS_GROUP_HEARTBEAT</td>
+ <td>DescribeConfigs</td>
Review Comment:
DESCRIBE, not DESCRIBE_CONFIGS
##########
docs/streams/developer-guide/security.html:
##########
@@ -88,6 +140,23 @@
(see <a class="reference external"
href="https://cwiki.apache.org/confluence/x/zlOHB";>KIP-277</a>
and <a class="reference external"
href="https://cwiki.apache.org/confluence/x/QpvLB";>KIP-290</a> for details).
</p>
+ <div class="admonition best-practice">
+ <p class="first admonition-title">Best Practice</p>
+ <p class="last">For secure Streams deployments:
+ <ul class="simple">
+ <li><strong>Pre-create internal topics</strong> to avoid
requiring <code>CREATE</code> permissions</li>
+ <li>Grant <strong>minimal required permissions</strong>:
+ <ul>
+ <li><code>READ</code> on group
<code>${application.id}</code></li>
+ <li><code>DESCRIBE_CONFIGS</code> on topics</li>
Review Comment:
The KIP wasn't quite up-to-date. We require DESCRIBE on all topics involved
in the group topology
##########
docs/streams/developer-guide/security.html:
##########
@@ -70,6 +70,58 @@
the ACL set so that the application has the permissions to
create, read and write
<a class="reference internal"
href="manage-topics.html#streams-developer-guide-topics-internal"><span
class="std std-ref">internal topics</span></a>.</p>
+ <div class="admonition note">
+ <p class="first admonition-title">Note</p>
+ <p class="last">Starting with <a class="reference external"
href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-1071%3A+Streams+Rebalance+Protocol";>KIP-1071</a>,
additional ACLs are required for the new Streams rebalance protocol:</p>
Review Comment:
We need to state that this only applies when `group.protocol=streams` is set
in the configuration.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
