update acls documentation

confluentinc · Nov 15, 2019 · 2062bf8 · 2062bf8
1 parent 5e42500
commit 2062bf8
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/docs/installation/server-config/security.rst b/docs/installation/server-config/security.rst
@@ -404,6 +404,9 @@ The ACLs required are the same for both :ref:`Interactive and non-interactive (h
 KSQL always requires the following ACLs for its internal operations and data management:
 
 - The ``DESCRIBE_CONFIGS`` operation on the ``CLUSTER`` resource type.
+- The ``DESCRIBE`` operation on the ``TOPIC`` with ``LITERAL`` name ``__consumer_offsets``.
+- The ``DESCRIBE`` operation on the ``TOPIC`` with ``LITERAL`` name ``__transaction_state``.
+- The ``DESCRIBE`` and ``WRITE`` operation on the ``TRANSACTIONAL_ID`` with ``LITERAL`` name ``<ksql.service.id>``.
 - The ``ALL`` operation on all internal ``TOPICS`` that are ``PREFIXED`` with ``_confluent-ksql-<ksql.service.id>``.
 - The ``ALL`` operation on all internal ``GROUPS`` that are ``PREFIXED`` with ``_confluent-ksql-<ksql.service.id>``.
 

diff --git a/ksql-rest-app/src/test/java/io/confluent/ksql/rest/integration/RestApiTest.java b/ksql-rest-app/src/test/java/io/confluent/ksql/rest/integration/RestApiTest.java
@@ -26,6 +26,7 @@
 import static org.apache.kafka.common.acl.AclOperation.CREATE;
 import static org.apache.kafka.common.acl.AclOperation.DESCRIBE;
 import static org.apache.kafka.common.acl.AclOperation.DESCRIBE_CONFIGS;
+import static org.apache.kafka.common.acl.AclOperation.WRITE;
 import static org.apache.kafka.common.resource.ResourceType.CLUSTER;
 import static org.apache.kafka.common.resource.ResourceType.GROUP;
 import static org.apache.kafka.common.resource.ResourceType.TOPIC;
@@ -130,16 +131,21 @@ public class RestApiTest {
               )
               .withAcl(
                   NORMAL_USER,
-                  prefixedResource(TRANSACTIONAL_ID, "default_"),
-                  ops(ALL)
+                  resource(TRANSACTIONAL_ID, "default_"),
+                  ops(WRITE)
+              )
+              .withAcl(
+                  NORMAL_USER,
+                  resource(TRANSACTIONAL_ID, "default_"),
+                  ops(DESCRIBE)
               ).withAcl(
                   NORMAL_USER,
                   resource(TOPIC, "__consumer_offsets"),
                   ops(DESCRIBE)
               ).withAcl(
                   NORMAL_USER,
-                  prefixedResource(TOPIC, "__transaction_state"),
-                  ops(ALL)
+                  resource(TOPIC, "__transaction_state"),
+                  ops(DESCRIBE)
               )
       )
       .build();