THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Users can see all groups in the cluster (using consumer group’s
--listoption) provided that they have Describe access to the cluster. Would it make sense to modify that experience and limit what is listed in the output to only those groups they have Describe access to? The reason is, almost anything else is accessible by a user only if the access is specifically granted (through ACL--add); and this scenario should not be an exception. The potential change would be updating the minimum required permission ofListGroupfrom Describe (Cluster) to Describe (Group).
We can also look at this from a different angle: A user with Read access to a group can describe the group, but the same user would not see anything when listing groups unless s/he has Describe access to the cluster. It makes more sense for this user to be able to list all groups s/he can describe.
Compatibility, Deprecation, and Migration Plan
...