Schema Registry ACLs missing

[solita-juusoma]

Describe the bug Conluent Schema registry documentation (https://docs.confluent.io/platform/current/schema-registry/security/index.html#authorizing-access-to-the-schemas-topic) says that following ACLs are needed for schema-registry principal:

• Read and Write access to the internal _schemas topic. This ensures that only authorized users can make changes to the topic.
• DescribeConfigs on the schemas topic to verify that the topic exists
• describe topic on the schemas topic, giving the Schema Registry service principal the ability to list the schemas topic
• DescribeConfigs on the internal consumer offsets topic
• Access to the Schema Registry cluster (group)
• Create permissions on the Kafka cluster

Currently JulieOps is only adding DESCRIBE_CONFIGS, WRITE and READ ACLs for schema-registry topic (default _schemas). We need to add field for __consumer_offsets topic to descriptor file and add implementation to AclsBindingsBuilder (or just the implementation see expected behavior), additional ACLs for _schemas and GROUP ACL implementation to AclsBindingsBuilder.

Add ACL implementations here https://github.com/kafka-ops/julie/blob/master/src/main/java/com/purbon/kafka/topology/roles/acls/AclsBindingsBuilder.java#L213:

Add __consumer_offsets topic to https://github.com/kafka-ops/julie/blob/master/src/main/java/com/purbon/kafka/topology/model/users/platform/SchemaRegistryInstance.java

RBAC is creating GROUP ACL: https://github.com/solita-juusoma/julie/blob/master/src/main/java/com/purbon/kafka/topology/roles/rbac/RBACBindingsBuilder.java#L180

To Reproduce Steps to reproduce the behavior:

1. Run JulieOps with descriptor file that contains schema-registry platform: platform: schema_registry: instances:

   • principal: "User:schema_registry" topic: "foo" group: "bar"

2. See from julieops log that only DESCRIBE_CONFIGS, WRITE and READ ACLs were added to topic foo

3. Double-check with kafka-acls script that only those ACLs were added

Expected behavior If we do changes based on confluent documentation in addition to DESCRIBE_CONFIGS, WRITE and READ ACLs to _schemas topic, JulieOps should add also ACLs DESCRIBE to _schemas, DESCRIBE to __consumer_offsets and READ to GROUP schema-registry.

If we change descriptor file from this

platform:
  schema_registry:
    instances:
      - principal: "User:schema_registry"
        topic: "foo"
        group: "bar"

for example to this

platform:
  schema_registry:
    instances:
      - principal: "User:schema_registry"
        topic: "foo"
        consumer_offsets_topic: "foo"
        group: "bar"

it's backwards compatible. But do we need to add consumer_offsets_topic to descriptor? Is it even possible to configure Kafka use different topic for offsets storing? If yes, we could just add DescribeConfig (or Describe? documentation is bit unclear for this) ACL always for __consumer_offsets topic for schema-registry.

Is adding DESCRIBE for _schemas topic necessary when it has DESCRIBE_CONFIGS?

GROUP implementation is totally missing so this is added.

It could also be something like this but it affects RBAC implementation as well which I guess is already working?

platform:
  schema_registry:
    instances:
      - principal: "User:schema_registry"
        schemas_topic: "foo"
        consumer_offsets_topic: "foo"
        group: "bar"

Screenshots In this case I have added required ACLs with kafka-acls script. JulieOps tries to remove them.

{
  "Operation" : "com.purbon.kafka.topology.actions.access.ClearBindings",
  "Bindings" : [ {
    "resourceType" : "TOPIC",
    "resourceName" : "__consumer_offsets",
    "host" : "*",
    "operation" : "DESCRIBE",
    "principal" : "User:schema_registry",
    "pattern" : "LITERAL",
    "scope" : null
  }, {
    "resourceType" : "TOPIC",
    "resourceName" : "_schemas",
    "host" : "*",
    "operation" : "DESCRIBE",
    "principal" : "User:schema_registry",
    "pattern" : "LITERAL",
    "scope" : null
  }, {
    "resourceType" : "GROUP",
    "resourceName" : "schema-registry",
    "host" : "*",
    "operation" : "READ",
    "principal" : "User:schema_registry",
    "pattern" : "LITERAL",
    "scope" : null
  }

Runtime (please complete the following information):

• OS: Red Hat Enterprise Linux release 8.4
  • JVM version: openjdk version "11.0.11" 2021-04-20 LTS
• JulieOps Version 2.1.2

[solita-juusoma]

Now that I look I think schema-registry need to be granted ACL DESCRIBE for __consumer_offsets, not DESCRIBE_CONFIGS. Even though documentation says

DescribeConfigs on the internal consumer offsets topic

Command list says

bin/kafka-acls --bootstrap-server localhost:9092 --command-config adminclient-configs.conf --add \ --allow-principal 'User:' --allow-host '*' \ --operation Describe --topic __consumer_offsets

Describe makes more sense.