Description
It is possible to create DENY ACLs with the DESCRIBE and DESCRIBE_CONFIGS operations against a Kafka cluster. This will render the users affected by this DENY ACL unable to perform any operations against this cluster with the Confluent CLI, including removing the DENY ACL, even if the user has a higher-privileged role bindings, such as OrganizationAdmin.
Applies To
Confluent Cloud
Cause
Per Use ACLs with RBAC on Confluent Cloud, ACL DENY rules are applied first, including prior to role binding permissions.
Please note that DENY ACL is for operations: READ, WRITE, DESCRIBE, DESCRIBE_CONFIGS; there is no DENY ACL for ALTER.
If there is a DENY ACL added against the Kafka cluster, it can not be deleted using the Confluent CLI because the Confluent CLI will always attempt to DESCRIBE a cluster before performing any operations on the cluster, so it will not be able to ALTER the cluster ACLs. However, the Confluent Cloud API does not do this DESCRIBE check, and can be used to update the cluster ACLs.
Resolution
- Create a Kafka API Key for an account with at least
CloudClusterAdminprivileges to be able to manage ACLs for the cluster - Use this API key with the Confluent Cloud REST API to delete the
DENYACLs:
curl --request DELETE \
--url 'https://pkc-00000.region.provider.confluent.cloud/kafka/v3/clusters/lkc-123abc/acls?resource_type=CLUSTER&pattern_type=LITERAL&operation=DESCRIBE&permission=DENY' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'
curl --request DELETE \
--url 'https://pkc-00000.region.provider.confluent.cloud/kafka/v3/clusters/lkc-123abc/acls?resource_type=CLUSTER&pattern_type=LITERAL&operation=DESCRIBE_CONFIGS&permission=DENY' \
--header 'Authorization: Basic REPLACE_BASIC_AUTH'