Skip to content

Reset offset shouldn't be triggered on non-readable topic #642

New issue
New issue
Open
Bug
Open
Reset offset shouldn't be triggered on non-readable topic#642
Bug
Labels
bugSomething isn't working
@ThomasCAI-mlv

Description

@ThomasCAI-mlv
ThomasCAI-mlv
opened on Oct 1, 2025

Describe the bug

The reset-offset API allows to reset-offset any topic as long as the namespace has the ownership of the consumer group, even if the namespace has no READ or OWNER ACL on the topic.

To Reproduce

Steps to reproduce the behavior:

  1. Create the namespaces ns1 and ns2 with respective ownership on ns1. and ns2. prefixed topics and prefixed consumer groups.
  2. With the namespace ns1, create a topic ns1.topic
  3. With the namespace ns2, call the reset-offset API POST /api/namespaces/ns2/consumer-groups/ns2.consumer-group/reset and the following body:
{
  "apiVersion": "v1",
  "kind": "ConsumerGroupResetOffsets",
  "metadata": {
    "name": "ns2.consumer-group",
    "namespace": "ns2"
  },
  "spec": {
    "topic": "ns1.topic",
    "method": "TO_EARLIEST"
  }
}
  1. The namespace ns2 does not have a READ ACL on the topic ns1.topic, but the API doesn't return an authorization error response (status code 422?).

Environment

  • Ns4Kafka version: v1.16.0
  • Kafka broker type and version: N/A

Steps taken to try and solve the problem

A new checker can be added to check the topic

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions