redpanda-data
Change ACL modification mechanism in Console
Currently in console when ACL's are modified, we delete the existing ones.. then recreate with existing acls + additions.
We have seen this can cause problems on clients ...
Have been able to reproduce consistently with following steps :
-
In Console configure acls for a user-A. . give permisions for topic-1, + consumergroup1. (then repeat with topic2, consumer group2 ... up to 5 sets of resources for topic + group) [Save/ok]
-
Start java consumer. Confirm it's reading from topic1 , Group 1 running.. + no issues with authorisation.
-
In console Amend ACL's for user-A.. Give additional permissions for topic6 + consumergroup6. [Save/ok]
-
Java Consumer now fails with auth errors Java log :
[com.redpanda.ConsumerExample.main()] WARN org.apache.kafka.clients.consumer.internals.Fetcher - [Consumer clientId=consumer-firefox-1, groupId=firefox] Not authorized to read from partition topic-1-0. org.apache.kafka.common.errors.TopicAuthorizationException: Not authorizedRedpanda Reports :
2024-04-16 11:43:10.200REDPANDA redpanda INFO 2024-04-16 11:43:10,200 [shard 0:fetc] kafka - 31.54.228.122:62370 failed authorization - connection_context.cc:179 - proto: kafka rpc protocol, sasl state: complete, acl op: read, principal: type {user} name {redpanda-chat-account}, resource: {topic1}
-
Restart java consumer no issues with ACLS / authorisation
-
The ACL's are as expected in consol/rpk acl list...e.g the additional topic/group was added we didnt lose any
Requested Feature change : Either :
- change the UI for ACLs significantly
- make console smarter so that it can do better diffs without removing
