Could you please correct Kip 1298 , we already have same no , I created few weeks back.
Regards, Viquar Kha On Sun, Apr 5, 2026, 10:34 PM Kuan Po Tseng <[email protected]> wrote: > Thanks again for the input! > > chia_01: Sure, we can add a debug message on the server side when response > is empty and using v2 with only DESCRIBE_CONFIGS on CLUSTER and DESCRIBE on > CLUSTER not set. Additionally, I think it would be helpful to add a warning > message in ConfigCommand when the LIST_CONFIG_RESOURCE API response is > empty, to let users know they may need to update their ACL. > > On 2026/04/05 08:55:06 Chia-Ping Tsai wrote: > > chia_01: Regarding the migration plan, I have a concern about potential > user confusion. Since clients using v2 with only DESCRIBE_CONFIGS will > receive an empty response rather than an authorization error, this silent > failure might be very hard to debug. Should we consider logging a warning > message in this specific scenario to help users identify the missing > DESCRIBE ACL? > > > > On 2026/04/05 03:48:16 Kuan-Po Tseng wrote: > > > Thanks for the feedback, Chia-Ping! > > > > > > chia_00: That's a fair point. I'm a bit hesitant to handle > DESCRIBE_CONFIGS > > > in handleTopicMetadataRequest and handleListGroupsRequest, > > > since those APIs return more than just names. Exposing topic/group > names > > > based on a config-oriented permission feels semantically misaligned, > > > and I'm not sure it adds much value. > > > Another approach worth considering: we could bump the API version of > > > LIST_CONFIG_RESOURCES and switch to DESCRIBE instead of > > > DESCRIBE_CONFIGS, aligning it with other resource-related APIs. > > > > > > I’ll update the KIP later, and would love to hear others' thoughts on > this! > > > > > > On Sun, Apr 5, 2026 at 12:52 AM Chia-Ping Tsai <[email protected]> > wrote: > > > > > > > chia_00: For the sake of consistency, if we permit DESCRIBE_CONFIGS > to > > > > expose topic and group names in LIST_CONFIG_RESOURCES, should we > also align > > > > handleTopicMetadataRequest and handleListGroupsRequest? Currently, > they > > > > strictly require DESCRIBE. > > > > > > > > On 2026/04/04 16:40:08 Kuan-Po Tseng wrote: > > > > > Hello everyone, > > > > > > > > > > I would like to start a discussion thread on KIP-1298 which fixes > an > > > > > authorization inconsistency in LIST_CONFIG_RESOURCES. Today the RPC > > > > > requires DESCRIBE_CONFIGS on CLUSTER for all resource types, which > is > > > > > stricter than comparable RPCs like LIST_GROUPS and METADATA. The > > > > practical > > > > > impact is that `kafka-configs.sh --describe --entity-type groups` > > > > silently > > > > > returns incomplete results for users holding DESCRIBE but not > > > > > DESCRIBE_CONFIGS on CLUSTER. > > > > > > > > > > More details, please check > > > > > https://cwiki.apache.org/confluence/x/ZJI8G > > > > > > > > > > Thanks, > > > > > Kuan-Po Tseng > > > > > > > > > > > > > > >
