Thanks again for the input! chia_01: Sure, we can add a debug message on the server side when response is empty and using v2 with only DESCRIBE_CONFIGS on CLUSTER and DESCRIBE on CLUSTER not set. Additionally, I think it would be helpful to add a warning message in ConfigCommand when the LIST_CONFIG_RESOURCE API response is empty, to let users know they may need to update their ACL.
On 2026/04/05 08:55:06 Chia-Ping Tsai wrote: > chia_01: Regarding the migration plan, I have a concern about potential user > confusion. Since clients using v2 with only DESCRIBE_CONFIGS will receive an > empty response rather than an authorization error, this silent failure might > be very hard to debug. Should we consider logging a warning message in this > specific scenario to help users identify the missing DESCRIBE ACL? > > On 2026/04/05 03:48:16 Kuan-Po Tseng wrote: > > Thanks for the feedback, Chia-Ping! > > > > chia_00: That's a fair point. I'm a bit hesitant to handle DESCRIBE_CONFIGS > > in handleTopicMetadataRequest and handleListGroupsRequest, > > since those APIs return more than just names. Exposing topic/group names > > based on a config-oriented permission feels semantically misaligned, > > and I'm not sure it adds much value. > > Another approach worth considering: we could bump the API version of > > LIST_CONFIG_RESOURCES and switch to DESCRIBE instead of > > DESCRIBE_CONFIGS, aligning it with other resource-related APIs. > > > > I’ll update the KIP later, and would love to hear others' thoughts on this! > > > > On Sun, Apr 5, 2026 at 12:52 AM Chia-Ping Tsai <[email protected]> wrote: > > > > > chia_00: For the sake of consistency, if we permit DESCRIBE_CONFIGS to > > > expose topic and group names in LIST_CONFIG_RESOURCES, should we also > > > align > > > handleTopicMetadataRequest and handleListGroupsRequest? Currently, they > > > strictly require DESCRIBE. > > > > > > On 2026/04/04 16:40:08 Kuan-Po Tseng wrote: > > > > Hello everyone, > > > > > > > > I would like to start a discussion thread on KIP-1298 which fixes an > > > > authorization inconsistency in LIST_CONFIG_RESOURCES. Today the RPC > > > > requires DESCRIBE_CONFIGS on CLUSTER for all resource types, which is > > > > stricter than comparable RPCs like LIST_GROUPS and METADATA. The > > > practical > > > > impact is that `kafka-configs.sh --describe --entity-type groups` > > > silently > > > > returns incomplete results for users holding DESCRIBE but not > > > > DESCRIBE_CONFIGS on CLUSTER. > > > > > > > > More details, please check > > > > https://cwiki.apache.org/confluence/x/ZJI8G > > > > > > > > Thanks, > > > > Kuan-Po Tseng > > > > > > > > > >
