Kafka Configs Kafka Protocol Wire Format API Versions KIPs Errors Kafka Upgrade Config Advisor Policy Pack
Debezium
Config Matrix Event Envelope Snapshot Modes Error Reference
Flink SQL
conduktor.io ↗

ApplicationGroup Cannot Grant Wildcard Write Permissions

Reject ApplicationGroup permissions that combine name="*" with write/create/delete on topics or connectors.

Rationale

Wildcard write to all topics in an environment is a "delete the company" privilege. Read access on `*` is sometimes legitimate (support, observability); write/produce on `*` almost never is. Complements the starter `no-wildcard-acl-prod` by extending the check from ACLs to UI-granted permissions.

Pattern

permissions[].name=="*" → no topicProduce / topicCreate / topicDelete / kafkaConnectCreate / kafkaConnectDelete

Examples

name="*", permissions=[topicViewConfig, topicConsume] (read-only)
name="payments.", patternType=PREFIXED, permissions=[topicProduce]
name="*", permissions=[topicProduce]
name="*", permissions=[topicDelete]

Parameters

NameDefaultDescription
forbidden_with_wildcard ["topicProduce","topicCreate","topicDelete","kafkaConnectCreate","kafkaConnectDelete"] Role IDs that may not combine with name="*".

Implementation

Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.

Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy
# ApplicationGroup policies must be linked at Application or KafkaCluster level —
# not at ApplicationInstance (excluded by allowedApplicationInstancePolicies).
---
apiVersion: self-serve/v1
kind: ResourcePolicy
metadata:
  name: applicationgroup-no-wildcard-write
spec:
  targetKind: ApplicationGroup
  description: wildcard (name="*") permissions cannot include write/create/delete on topics or connectors
  rules:
    - condition: 'spec.permissions.all(p, p.name != "*" || !p.permissions.exists(perm, perm in ["topicProduce", "topicCreate", "topicDelete", "kafkaConnectCreate", "kafkaConnectDelete"]))'
      errorMessage: "wildcard (name=\"*\") permissions cannot include write/create/delete on topics or connectors — scope by prefix instead"

Related policies

Try Conduktor Console

Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.

Get Started →