Closed duyhieuvo closed 6 months ago
For me these ACLs work:
ACLs for principal `User:kminion`
Current ACLs for resource `ResourcePattern(resourceType=CLUSTER, name=kafka-cluster, patternType=LITERAL)`:
(principal=User:kminion, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
(principal=User:kminion, host=*, operation=DESCRIBE, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=GROUP, name=*, patternType=LITERAL)`:
(principal=User:kminion, host=*, operation=READ, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=*, patternType=LITERAL)`:
(principal=User:kminion, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
(principal=User:kminion, host=*, operation=DESCRIBE, permissionType=ALLOW)
Current ACLs for resource `ResourcePattern(resourceType=TOPIC, name=__consumer_offsets, patternType=LITERAL)`:
(principal=User:kminion, host=*, operation=READ, permissionType=ALLOW)
(principal=User:kminion, host=*, operation=DESCRIBE_CONFIGS, permissionType=ALLOW)
(principal=User:kminion, host=*, operation=DESCRIBE, permissionType=ALLOW)
The required ACLs are heavily dependent on your KMinion configuration, thus it's a bit harder to provide general guidance. Your posted panic should never happen, but I believe this was already fixed in franz-go.
I believe Confluent hides the consumer offsets topic in many of their product offerings so that this configuration is not an option for you. In that case you must use the Kafka API scrape mode and that requires permissions to run the DescribeGroups Kafka API command which will require the following ACLs:
ListGroups
)DescribeGroup
, FindCoordinator
)e.g. if you configure Console to also delete it's previously created groups you also need to add Delete
on Group
with your configured group prefix if you want to constraint it further.
Hello,
could you help me clarify what is the right set of permission for KMinion on a secured Kafka cluster? In our case we have Confluent Platform and manage permission with Confluent predefined roles (https://docs.confluent.io/platform/current/security/rbac/rbac-predefined-roles.html#role-based-access-control-predefined-roles). And trying KMinion in both modes didn't work for us after we trying with different set of permissions:
AdminApi mode, after inspecting Kafka log, we see that Kminion tried to describe the consumer group and the cluster, so we gave it the following permission:
but then the Kminion pod crashed with the following logs:
in OffsetTopics mode, we gave it the permission to consume and describe config on the __consumer_offsets topic. But the consumer group lag info in the metrics seems to not be correct. It always shows 0 lag even though there are some.
It would be nice to have a summary of required permissions of KMinion on the Kafka cluster. Thank you