Versions Compared

Old Version 7

changes.mady.by.user Vahid Hashemian

Saved on

compared with

New Version Current

changes.mady.by.user Ewen Cheslack-Postava

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Status

Current state:  "Under Discussion" Accepted

Discussion thread: here

JIRA:

Jira
serverASF JIRA
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyKAFKA-4585

Released: 1.0.0

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

The other, and perhaps more compelling, incentive for this change is that the current ACL settings breaks a certain functionality (and this functionality seems to have been broken for a while). As mentioned in the above table the minimum required permission for DescribeGroup and OffsetFetch is Describe and Read, respectively. But implementation of the describe group command line makes use of OffsetFetch API (version 0 and 1 pre-KIP-88, and version 2 post-KIP-88). Therefore, a user who is granted the current minimum requirement permission Describe for DescribeGroup still would not be able to run the describe group command and get the expected result. They would see something like this in the output:

...

 If we make the change suggested belowin the next section, the command runs successfully and reports the group offsets.

The following potential unit tests in scala.integration.kafka.api.AuthorizerIntegrationTest could further clarify the problem. 

Code Block
languagescala
// this test is to clarify that the issue exists for the consumer group command line only, and not the API
@Test
def testDescribeGroupApiWithGroupDescribe() {
  addAndVerifyAcls(Set(new Acl(KafkaPrincipal.ANONYMOUS, Allow, Acl.WildCardHost, Describe)), groupResource)
  addAndVerifyAcls(Set(new Acl(KafkaPrincipal.ANONYMOUS, Allow, Acl.WildCardHost, Describe)), topicResource)
  AdminClient.createSimplePlaintext(brokerList).describeConsumerGroup(group)
}

// this test highlights the issue with command line, where the supposedly sufficient 'Describe' access is not enough to run the command
@Test(expected = classOf[GroupAuthorizationException])
def testDescribeGroupCliWithGroupDescribe() {
  addAndVerifyAcls(Set(new Acl(KafkaPrincipal.ANONYMOUS, Allow, Acl.WildCardHost, Describe)), groupResource)
  addAndVerifyAcls(Set(new Acl(KafkaPrincipal.ANONYMOUS, Allow, Acl.WildCardHost, Describe)), topicResource)

  val cgcArgs = Array("--bootstrap-server", brokerList, "--describe", "--group", group)
  val opts = new ConsumerGroupCommandOptions(cgcArgs)
  val consumerGroupService = new KafkaConsumerGroupService(opts)
  consumerGroupService.describeGroup()
}

// this test confirms that a minimum of 'Read' access is required to successfully run the command
@Test
def testDescribeGroupCliWithGroupRead() {
  addAndVerifyAcls(Set(new Acl(KafkaPrincipal.ANONYMOUS, Allow, Acl.WildCardHost, Read)), groupResource)
  addAndVerifyAcls(Set(new Acl(KafkaPrincipal.ANONYMOUS, Allow, Acl.WildCardHost, Describe)), topicResource)

  val cgcArgs = Array("--bootstrap-server", brokerList, "--describe", "--group", group)
  val opts = new ConsumerGroupCommandOptions(cgcArgs)
  val consumerGroupService = new KafkaConsumerGroupService(opts)
  consumerGroupService.describeGroup()
}

Proposed Changes

The change proposed by this KIP is very simple: to lower the minimum required permission of the OffsetFetch API from Read to Describe. These minimum required permissions are hard-coded in kafka.server.KafkaApis.scala inside each API handler method. For example, the part that enforces the minimum required permission for the OffsetFetch API currently looks like this:

...

Code Block
languagescala
if (!authorize(request.session, Describe, new Resource(Group, offsetFetchRequest.groupId))) 
          offsetFetchRequest.getErrorResponse(requestThrottleMs, Errors.GROUP_AUTHORIZATION_FAILED)

 

Additional Food for Thought

As I was experimenting with the ACLs for this KIP I made some observations that made me wonder about the rationale behind their current ACL settings; and whether they need adjustments too: 

...

)

...

Compatibility, Deprecation, and Migration Plan
  • A user that already has Read permission to a consumer group, with this change, would still be able to query the group like before (Read implies Describe). For this user the change is backward compatible.
  • Consider a user with Describe access. The group Describe access implies access to DescribeGroup and FindCoordinator APIs; even though this user cannot make use of DescribeGroup, as explained above. Giving this user access to OffsetFetch API means fixing that broken experience.
In general, As a result of this change, Kafka admins may need to revisit the relevant ACLs and update them if necessary. 
Rejected Alternatives