-
-
Notifications
You must be signed in to change notification settings - Fork 77
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RBAC for ACL Management #288
Comments
Hi joelpavlovsky! 👋 Welcome, and thank you for opening your first issue in the repo! Please wait for triaging by our maintainers. As development is carried out in our spare time, you can support us by sponsoring our activities or even funding the development of specific issues. If you plan to raise a PR for this issue, please take a look at our contributing guide. |
Hi, this is not possible mainly because custom ACL types (or presets) exist only as a convenience feature, and they're indistinguishable from the other ACL records once they've been created in zookeeper. |
Thank you for your response. The issue arises when a user only has permissions as a cluster reader, restricting them from altering cluster settings or configurations, thereby unable to "destroy" the cluster. However, in cases where I granted permissions for the client to create or edit ACLs, they can create a custom ACL with cluster alter configurations, potentially leading to unintended actions or mistakes. My suggestion is to introduce an option to conceal the "custom ACL" feature, allowing users to only assign producer or consumer ACLs. This enhancement would provide added protection for the client, enabling them to implement only essential ACLs, such as producer or consumer permissions. |
Thank you for your response.
The issue arises when a user only has permissions as a cluster reader,
restricting them from altering cluster settings or configurations, thereby
unable to "destroy" the cluster. However, in cases where I granted
permissions for the client to create or edit ACLs, they can create a custom
ACL with cluster alter configurations, potentially leading to unintended
actions or mistakes.
My suggestion is to introduce an option to conceal the "custom ACL"
feature, allowing users to only assign producer or consumer ACLs. This
enhancement would provide added protection for the client, enabling them to
implement only essential ACLs, such as producer or consumer permissions.
…On Thu, May 2, 2024, 01:11 Roman Zabaluev ***@***.***> wrote:
Hi, this is not possible mainly because custom ACL types (or presets)
exist only as a convenience feature, and they're indistinguishable from the
other ACL records once they've been created in zookeeper.
—
Reply to this email directly, view it on GitHub
<#288 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AO3VNE5URLLU7COFAIZBKV3ZAFSANAVCNFSM6AAAAABGGBDJQOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOBZGIYTSNBZGE>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Issue submitter TODO list
Is your proposal related to a problem?
Today we can set the ACL
RBAC
action only forview
&edit
, and we don't have the option to set the value or some specific ACL action (e.g.ACL type
,Resource type
).Describe the feature you're interested in
We need the ability to set actions & values for each
RBAC
role and ACL resource/typeResource type
actions:
view
edit
delete
custom_acl
producer_acl
consumer_acl
stream_acl
value: (for
custom_acl
, edit & view, filter by resource type)TOPIC
GROUP
CLUSTER
TRANSACTIONAL_ID
DELEGATION_TOKEN
USER
For Example:
Describe alternatives you've considered
No response
Version you're running
v1.0.0
Additional context
No response
The text was updated successfully, but these errors were encountered: