Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

No Wildcard Subject Access in ApplicationGroups

SUBJECT permissions must be prefix-scoped (patternType=PREFIXED, name!="*").

Rationale

Even "read-only" wildcard subject access leaks the shape of every PII record in the org (field names like `ssn`, `dob`, `internal_pricing`). Schema registries are routinely under-secured because teams treat them as metadata, but the field catalog itself is sensitive. Force every subject grant to be prefix-scoped to a domain.

Pattern

permissions[].resourceType=="SUBJECT" → name != "*" AND patternType == "PREFIXED"

Examples

resourceType=SUBJECT, name="payments.", patternType=PREFIXED
resourceType=SUBJECT, name="*", patternType=LITERAL
resourceType=SUBJECT, name="*", patternType=PREFIXED

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: applicationgroup-no-subject-wildcard-read
spec:
  targetKind: ApplicationGroup
  description: SUBJECT permissions must be prefix-scoped (patternType=PREFIXED, name!="*")
  rules:
    - condition: 'spec.permissions.all(p, p.resourceType != "SUBJECT" || (p.name != "*" && p.patternType == "PREFIXED"))'
      errorMessage: "SUBJECT permissions must be prefix-scoped (patternType=PREFIXED, name!=\"*\") — schema field names leak PII structure"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →