From e8e4e0b6dba77837d7fd97821e10dbee46a4e16e Mon Sep 17 00:00:00 2001
From: KTKTK-HZ <56449555+KTKTK-HZ@users.noreply.github.com>
Date: Thu, 17 Jul 2025 16:35:46 +0800
Subject: [PATCH] KAFKA-19377:Update /streams/developer-guide/security.html for
 KIP-1071 (#20084)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added required ACLs for new streams operations:

- STREAMS_GROUP_HEARTBEAT (88) requires:
  • READ on Group
  • DESCRIBE on Topics
  • [Conditional] CREATE on Cluster or Topics
- STREAMS_GROUP_DESCRIBE (89) requires:
  • DESCRIBE on Group
  • DESCRIBE on Topic

Here is the rendering of the modified document.

Reviewers: Lucas Brutschy <lbrutschy@confluent.io>
Co-authored-by: Lucas Brutschy <lbrutschy@gmail.com>
---
 docs/streams/developer-guide/security.html | 61 +++++++++++++++++++++-
 1 file changed, 60 insertions(+), 1 deletion(-)

diff --git a/docs/streams/developer-guide/security.html b/docs/streams/developer-guide/security.html
index 13e671fa931..bae4d90b8b2 100644
--- a/docs/streams/developer-guide/security.html
+++ b/docs/streams/developer-guide/security.html
@@ -70,7 +70,65 @@
                 the ACL set so that the application has the permissions to create, read and write
                 <a class="reference internal" href="manage-topics.html#streams-developer-guide-topics-internal"><span class="std std-ref">internal topics</span></a>.</p>
 
-                <p>To avoid providing this permission to your application, you can create the required internal topics manually.
+            <div class="admonition">
+                <p>If the <a class="reference external" href="https://cwiki.apache.org/confluence/display/KAFKA/KIP-1071%3A+Streams+Rebalance+Protocol">streams rebalance protocol</a> is enabled by setting <code>group.protocol=streams</code>, the following ACLs are required on the topic and group resources:</p>
+            </div>
+
+            <table border="1" class="docutils">
+                <colgroup>
+                    <col width="25%">
+                    <col width="15%">
+                    <col width="20%">
+                    <col width="40%">
+                </colgroup>
+                <thead valign="bottom">
+                <tr class="row-odd"><th class="head">API PROTOCOL</th>
+                    <th class="head">OPERATION</th>
+                    <th class="head">Resource</th>
+                    <th class="head">Notes</th>
+                </tr>
+                </thead>
+                <tbody valign="top">
+                <tr class="row-even">
+                    <td>STREAMS_GROUP_HEARTBEAT</td>
+                    <td>Read</td>
+                    <td>Group</td>
+                    <td>Required for the application's streams group</td>
+                </tr>
+                <tr class="row-odd">
+                    <td>STREAMS_GROUP_HEARTBEAT</td>
+                    <td>Create</td>
+                    <td>Cluster <i>or</i> Topic</td>
+                    <td>
+                        Required only if auto-creating internal topics.<br>
+                        • <code>Create</code> on Cluster resource<br>
+                        • or <code>Create</code> on all topics in StateChangelogTopics and RepartitionSourceTopics<br>
+                        Not required if internal topics are pre-created
+                    </td>
+                </tr>
+                <tr class="row-even">
+                    <td>STREAMS_GROUP_HEARTBEAT</td>
+                    <td>Describe</td>
+                    <td>Topic</td>
+                    <td>Required for all topics used in the application's topology, when first joining.</td>
+                </tr>
+                <tr class="row-odd">
+                    <td>STREAMS_GROUP_DESCRIBE</td>
+                    <td>Describe</td>
+                    <td>Group</td>
+                    <td>Required for the application's streams group</td>
+                </tr>
+                <tr class="row-even">
+                    <td>STREAMS_GROUP_DESCRIBE</td>
+                    <td>Describe</td>
+                    <td>Topic</td>
+                    <td>Required for all topics used in the group's topology</td>
+                </tr>
+                </tbody>
+            </table>
+
+                <p>As mentioned earlier, Kafka Streams applications need appropriate ACLs to create internal topics when running against a secured Kafka cluster.
+                    To avoid providing this permission to your application, you can create the required internal topics manually.
                     If the internal topics exist, Kafka Streams will not try to recreate them.
                     Note, that the internal repartition and changelog topics must be created with the correct number of partitions&mdash;otherwise, Kafka Streams will fail on startup.
                 The topics must be created with the same number of partitions as your input topic, or if there are multiple topics, the maximum number of partitions across all input topics.
@@ -89,6 +147,7 @@
                 and <a class="reference external" href="https://cwiki.apache.org/confluence/x/QpvLB">KIP-290</a> for details).
             </p>
         </div>
+
         <div class="section" id="security-example">
             <span id="streams-developer-guide-security-example"></span><h2><a class="toc-backref" href="#id2">Security example</a><a class="headerlink" href="#security-example" title="Permalink to this headline"></a></h2>
             <p>The purpose is to configure a Kafka Streams application to enable client authentication and encrypt data-in-transit when