ApplicationGroup Cannot Grant Wildcard Write Permissions
Reject ApplicationGroup permissions that combine name="*" with write/create/delete on topics or connectors.
Rationale
Wildcard write to all topics in an environment is a "delete the company" privilege. Read access on `*` is sometimes legitimate (support, observability); write/produce on `*` almost never is. Complements the starter `no-wildcard-acl-prod` by extending the check from ACLs to UI-granted permissions.
Pattern
permissions[].name=="*" → no topicProduce / topicCreate / topicDelete / kafkaConnectorCreate / kafkaConnectorUpdate / kafkaConnectorDelete
Examples
name="*", permissions=[topicViewConfig, topicConsume] (read-only)
name="payments.", patternType=PREFIXED, permissions=[topicProduce]
name="*", permissions=[topicProduce]
name="*", permissions=[topicDelete]
Parameters
| Name | Default | Description |
|---|---|---|
forbidden_with_wildcard |
["topicProduce","topicCreate","topicDelete","kafkaConnectorCreate","kafkaConnectorUpdate","kafkaConnectorDelete"] |
Role IDs that may not combine with name="*". Names match the built-in RoleIds from console-plus BuiltinRole.scala (note: Connector RoleIds are kafkaConnector* with the trailing "or", not kafkaConnect*). |
Implementation
Drop this YAML into Conduktor Console as a ResourcePolicy, then link it from an ApplicationInstance, Application, or KafkaCluster.
Conduktor ResourcePolicy
# Conduktor self-service ResourcePolicy # ApplicationGroup policies must be linked at Application or KafkaCluster level — # not at ApplicationInstance (excluded by allowedApplicationInstancePolicies). # RoleId names verified against console-plus BuiltinRole.scala: # topicProduce, topicCreate, topicDelete → builtin Topic write roles # kafkaConnectorCreate, kafkaConnectorUpdate, kafkaConnectorDelete # → builtin Connector mutate roles (NOTE: "kafkaConnector*" with trailing # "or", NOT "kafkaConnect*" which does not exist as a RoleId) --- apiVersion: self-serve/v1 kind: ResourcePolicy metadata: name: applicationgroup-no-wildcard-write spec: targetKind: ApplicationGroup description: wildcard (name="*") permissions cannot include write/create/delete on topics or connectors rules: - condition: 'spec.permissions.all(p, p.name != "*" || !p.permissions.exists(perm, perm in ["topicProduce", "topicCreate", "topicDelete", "kafkaConnectorCreate", "kafkaConnectorUpdate", "kafkaConnectorDelete"]))' errorMessage: "wildcard (name=\"*\") permissions cannot include write/create/delete on topics or connectors — scope by prefix instead"
Related policies
Try Conduktor Console
Enforce policies like this across your team — central audit history, pre-commit guardrails, ApplicationInstance bindings. 5-min Docker install.
Get Started →