Table of Contents |
---|
Status
Current state: Accepted
Under Discussion thread: here
Discussion Vote thread: here and here
JIRA:
Jira | ||||||||
---|---|---|---|---|---|---|---|---|
|
Released: 2.1.0
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
API | Minimum Required Permission |
---|---|
ListGroups | Describe (Cluster) or Describe (Group) |
Proposed Changes
The change proposed by this KIP is simple. An alternative ACL will be added as the minimum required permission of the ListGroups API: Describe (Cluster) would still work as before. However, a Describe (Group) ACL is added which gives users the ability to list groups they have this ACL on. The minimum required permissions are hard-coded in kafka.server.KafkaApis.scala
inside each API handler method. For example, the part that enforces the minimum required permission for the ListGroups
API currently looks like this:
...
- Changing the minimum required ACL for
ListGroups
API from Describe (Cluster) to Describe (Group). This would have made it difficult or even impossible to get a listing of also work provided that cluster admins are given a wild card describe group permission so they can list all groups in the cluster, something that cluster admins should be able to easily perform. However, for the sake of backward compatibility the preference was given to the alternative, which preserves the describe cluster permission.