KAFKA-19377:Update /streams/developer-guide/security.html for KIP-1071 (#20084)

Added required ACLs for new streams operations: - STREAMS_GROUP_HEARTBEAT (88) requires: • READ on Group • DESCRIBE on Topics • [Conditional] CREATE on Cluster or Topics - STREAMS_GROUP_DESCRIBE (89) requires: • DESCRIBE on Group • DESCRIBE on Topic Here is the rendering of the modified document. Reviewers: Lucas Brutschy <lbrutschy@confluent.io> Co-authored-by: Lucas Brutschy <lbrutschy@gmail.com>
2025-07-17 16:35:46 +08:00 · 2025-07-17 16:35:46 +08:00 · e8e4e0b6db
parent f2cbc7e3f2
commit e8e4e0b6db
1 changed files with 60 additions and 1 deletions
--- a/docs/streams/developer-guide/security.html
+++ b/docs/streams/developer-guide/security.html
@ -70,7 +70,65 @@
                the ACL set so that the application has the permissions to create, read and write
                <a class="reference internal" href="manage-topics.html#streams-developer-guide-topics-internal"><span class="std std-ref">internal topics</span></a>.</p>

-                <p>To avoid providing this permission to your application, you can create the required internal topics manually.
+            <div class="admonition">
+                <p>If the <a class="reference external" href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-1071%3A+Streams+Rebalance+Protocol">streams rebalance protocol</a> is enabled by setting <code>group.protocol=streams</code>, the following ACLs are required on the topic and group resources:</p>
+            </div>
+
+            <table border="1" class="docutils">
+                <colgroup>
+                    <col width="25%">
+                    <col width="15%">
+                    <col width="20%">
+                    <col width="40%">
+                </colgroup>
+                <thead valign="bottom">
+                <tr class="row-odd"><th class="head">API PROTOCOL</th>
+                    <th class="head">OPERATION</th>
+                    <th class="head">Resource</th>
+                    <th class="head">Notes</th>
+                </tr>
+                </thead>
+                <tbody valign="top">
+                <tr class="row-even">
+                    <td>STREAMS_GROUP_HEARTBEAT</td>
+                    <td>Read</td>
+                    <td>Group</td>
+                    <td>Required for the application's streams group</td>
+                </tr>
+                <tr class="row-odd">
+                    <td>STREAMS_GROUP_HEARTBEAT</td>
+                    <td>Create</td>
+                    <td>Cluster <i>or</i> Topic</td>
+                    <td>
+                        Required only if auto-creating internal topics.<br>
+                        • <code>Create</code> on Cluster resource<br>
+                        • or <code>Create</code> on all topics in StateChangelogTopics and RepartitionSourceTopics<br>
+                        Not required if internal topics are pre-created
+                    </td>
+                </tr>
+                <tr class="row-even">
+                    <td>STREAMS_GROUP_HEARTBEAT</td>
+                    <td>Describe</td>
+                    <td>Topic</td>
+                    <td>Required for all topics used in the application's topology, when first joining.</td>
+                </tr>
+                <tr class="row-odd">
+                    <td>STREAMS_GROUP_DESCRIBE</td>
+                    <td>Describe</td>
+                    <td>Group</td>
+                    <td>Required for the application's streams group</td>
+                </tr>
+                <tr class="row-even">
+                    <td>STREAMS_GROUP_DESCRIBE</td>
+                    <td>Describe</td>
+                    <td>Topic</td>
+                    <td>Required for all topics used in the group's topology</td>
+                </tr>
+                </tbody>
+            </table>
+
+                <p>As mentioned earlier, Kafka Streams applications need appropriate ACLs to create internal topics when running against a secured Kafka cluster.
+                    To avoid providing this permission to your application, you can create the required internal topics manually.
                    If the internal topics exist, Kafka Streams will not try to recreate them.
                    Note, that the internal repartition and changelog topics must be created with the correct number of partitions&mdash;otherwise, Kafka Streams will fail on startup.
                The topics must be created with the same number of partitions as your input topic, or if there are multiple topics, the maximum number of partitions across all input topics.
@ -89,6 +147,7 @@
                and <a class="reference external" href="https://cwiki.apache.org/confluence/x/QpvLB">KIP-290</a> for details).
            </p>
        </div>
+
        <div class="section" id="security-example">
            <span id="streams-developer-guide-security-example"></span><h2><a class="toc-backref" href="#id2">Security example</a><a class="headerlink" href="#security-example" title="Permalink to this headline"></a></h2>
            <p>The purpose is to configure a Kafka Streams application to enable client authentication and encrypt data-in-transit when