kafka-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adam Bellemare <adam.bellem...@gmail.com>
Subject Re: ACL for group creation?
Date Wed, 21 Aug 2019 19:04:53 GMT
+users mailing list

David,

I don't think I really understand your email. Are you saying that this can
already be achieved only using the READ ACL?

Thanks
Adam



On Wed, Aug 21, 2019 at 3:58 AM David Jacot <djacot@confluent.io> wrote:

> Hello,
>
> It would be better to ask such question on the user mailing list.
>
> The reason is that the group is created automatically when a consumer
> joins it. It is not created explicitly so it can be restricted.
>
> In your case, you could setup a ACL to authorize the application to only
> use the group you have defined. It would prevent the application from
> creating new groups. (READ Acl on Group resource with a specific name).
>
> Best,
> David
>
> On Mon, Aug 19, 2019 at 9:01 PM Adam Bellemare <adam.bellemare@gmail.com>
> wrote:
>
> > Hi All
> >
> > I am looking through the Confluent docs and core Kafka docs and don't see
> > an ACL for group creation:
> > https://docs.confluent.io/current/kafka/authorization.html#acl-format
> > and
> > https://kafka.apache.org/documentation/#security_authz
> >
> > My scenario is simple: We use the consumer group as the means of
> > identifying a single application, including tooling for managing
> > application resets, offset management, lag monitoring, etc. We often have
> > situations where someone resets their consumer group by appending an
> > incremented integer ("cg" to "cg1"), but it throws the rest of the
> > monitoring and management tooling out of whack.
> >
> > Is there a reason why we do not have ACL-based CREATE restrictions to a
> > particular consumer group? I am willing to do the work to implement this
> > and test it out, but I wanted to validate that there isn't a reason I am
> > missing.
> >
> > Thanks
> > Adam
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message