THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- As long as a user has a Describe (Cluster) ACL permission s/he can list all groups in the cluster. This exposes a security risk: either a user cannot list consumer groups in the cluster or s/he can list all of them. Listing all groups is reasonable for a cluster administrator, but for other users what they can list should be limited to what they need to list.
- A user with Read access to a group can describe the group, but the same user would not see anything when listing groups (assuming there is no Describe access to the cluster). It makes more sense for this user to be able to list all groups s/he can already describe.
This would change the ACL requirements for ListGroups row API in the table above (to return meaningful data) to Describe (Cluster) or Describe (Group). Not having any of these ACLs would still not cause any authorization error, but there will be no group in the response either.
API | Minimum Required Permission |
|---|---|
ListGroups | Describe (Cluster) or Describe (Group) |
...