I think Kafka's behavior should be driven by what users want. My only indication to what they may want is what we were forced to fix in similar cases. This is why I am advocating this behavior.
I agree that this is a minor point that should not be blocking the vote. I already gave my non-binding +1 and thats the best I can do to drive this forward. If this vote passes without the behavior I believe is the right one, I will create a follow up JIRA. However, since we are still in a discussion and since both options are trivial to implement - why exactly are you objecting to Kafka behaving more like a DB in this scenario? Gwen On Thu, Apr 30, 2015 at 5:54 PM, Suresh Srinivas <sur...@hortonworks.com> wrote: > It is a strange choice to return "does not exist" when the condition is > actually "not authorized". I have hard time understanding why that is > better for security. Perhaps in DB world this is expected and changes may > be necessary to comply with such behavior. But that should not guide what > we do in Kafka. > > This is a voting thread for an important feature. Security is the number > one feature that our users are asking for. Can't minor things like this be > done in a follow up jiras? Should the focus be brought back to voting? > > Btw since I am new to the Kafka community, is there a period when voting > thread needs to wrap up by? Other projects generally follow 3 or 7 days. > > Regards, > Suresh > > Sent from phone > > _____________________________ > From: Gwen Shapira <gshap...@cloudera.com<mailto:gshap...@cloudera.com>> > Sent: Thursday, April 30, 2015 5:32 PM > Subject: Re: [VOTE] KIP-11- Authorization design for kafka security > To: <dev@kafka.apache.org<mailto:dev@kafka.apache.org>> > > > On Thu, Apr 30, 2015 at 4:39 PM, Parth Brahmbhatt < > pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com>> wrote: > > > Hi Joe, > > > > Let me clarify on authZException. The caller gets a 403 regardless of > > existence of the topic, even if the topic does not exist you always get > > 403. This will fall under the case wherewe do not find any acls for a > > resource and as per our last decision by default we are going to deny > this > > request. > > > > The reason I'm digging into this is that in Hive we had to fix existing > behavior after financial customers objected loudly to getting "insufficient > privileges" when a real database would return "table does not exist". > > I completely agree that having to handle two separate error conditions > ("TopicNotExist" if user doesn't have READ, unless user has CREATE in which > case he can see all topics and can get "Unauthorized") adds complexity and > will not be fun to debug. However, when implementing security, a lot of the > stuff we do is around making customers pass security audits, and I suspect > that "can't know that tables even exist" test is a thing. > > We share pretty much the same financial customers and they seem to have the > same concerns. Perhaps you can double check if you also have this > requirement? > > (and again, sorry for not seeing this earlier and holding up the vote on > what seems like a minor point. I just don't want to punt for later > something when we already have an idea of what customers expect) > > Gwen > > > > > > > The configurations are listed explicitly here > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+In > > terface#KIP-11-AuthorizatiInterface-Changestoexistingclasses under > > KafkaConfig. We may add an optional config to allow authorizer to read an > > arbitrary property files incrementally but that does not need to be part > > of this same KIP. > > > > The statement “If we can't audit the access then wht good is controlling > > the access?” seems extreme because we still get to control the access > > which IMHO is a huge win. The default authorizer implementation right now > > logs every allowed/denied access (see here > > > https://github.com/Parth-Brahmbhatt/kafka/blob/KAFKA-1688-impl/core/src/mai > > n/scala/kafka/security/auth/SimpleAclAthorizer.scala) in debug mode. > > Anybody who needs auditing could create a lo4j appender to allow debug > > access to this class and send the log output to some audit fil. > > > > Auditing is still a separate piece, we could either add an auditor > > interface that wraps authorizer or the other way around so authorizer and > > auditor can be two separate implementation. I woud love to start a new > > KIP and jira to discuss approaches in more details but I don’t see the > > need to hold up Authorization work for the same. > > > > I don’t agree with the “this design seems too specific” given we already > > have 3 implementation (default, ranger, sentry) that can be supported > with > > the current design. > > > > The authorization happens as part of handle and it is the first action, > > see here > > > https://github.com/Parth-Brahmbhatt/kafka/blob/KAFKA-1688-impl/core/src/mai > > n/scala/kafka/server/KafkaApis.scala#L103 for one example. > > > > Thanks > > Parth > > > > > > > > On 4/30/15, 4:24 PM, "Suresh Srinivas" <sur...@hortonworks.com<mailto: > sur...@hortonworks.com>> wrote: > > > > >Joe, thanks for the clarification. > > > > > >Regarding audits, sorry I might be misunderstanding your email. > > >Currently, if Kafka does not support audits, I think audits should be > > >considered as a separate effort. Here are the reasons: > > >- Audit,whether authorization is available or not, should record > > >operations to determine what is happening in the system. It should > record > > >all the operations such as create, delete, consumption of topics along > > >with user information. It should work whether authorization is enabled > or > > >not. In Hadoop long before we added real authorization, we had audit > logs. > > >- Authorizaion will bring an additional element of who was denied. As > > >part of audit effort, it is important to add along with what operations > > >succeeded (and for whom), what operations were denied. > > >________________________________________ > > >From: Joe Stein <joe.st...@tealth.ly<mailto:joe.st...@tealth.ly>> > > >Sent: Thursday, April 30, 2015 4:12 PM > > >To: dev@kafka.apache.org<mailto:dev@kafka.apache.org> > > >Subject: Re: [VOTE] KIP-11- Authorization design for kafka security > > > > > >I kind of thought of the authorization module as something that happens > in > > >handle(request: RequestChannel.Reuqest) in the request.requestId match > > > > > >If the request doesn't do what it is allowed too it should stop right > > >there. That "what it is allowed to-do" is a true/false callback to the > > >class loadd with 1 function to accept the data and some more about what > > >it > > >is about (that we have access to). > > > > > >I think all of the other features are awesome but you can build them on > > >top > > >of this and then other can do the same. > > > > > >I am more hooked on the authorization module being a watch dog above > > >handle() than I am on the plug-in implementation options (less is more > > >imho). > > > > > >If we do this approach the audit fits in nice because we are seeing mor > > >what happens in one place and decision made for access right there. > > > > > >~ Joe Stein > > >- - - - - - - - - - - - - - - - - > > > > > > http://www.stealth.ly > > >- - - - - - - - - - - - - - - - - > > > > > >On Thu, Apr 30, 2015 at 6:59 PM, Suresh Srinivas < > sur...@hortonworks.com<mailto:sur...@hortonworks.com>> > > >wrote: > > > > > >> Joe, > > >> > > >> Can you add more details on what generalization looks like? Also is > > >>this a > > >> design issue or code issue? > > >> > > >> One more question. Does Kafka have audit capabilities today for topic > > >> creation, deletion, access etc.? > > >> > > >> Regards, > > >> Suresh > > >> > > >> Sent from phone > > >> > > >> _____________________________ > > >> From: Joe Stein <joe.st...@stealth.ly<mailto:joe.st...@stealth.ly > ><mailto:joe.st...@stealth.ly>> > > >> Sent: Thursday, April 30, 2015 3:27 PM > > >> Subject: Re: [VOTE] KIP-11- Authorization design for kafka security > > >> To: <dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto: > dev@kafka.apache.org>> > > >> > > >> > > >> Ok, I read through it all again a few times. I get the provider broker > > >> piece now. > > >> > > >> The configurations are still confusing if there are 2 or 3 and they > > >>should > > >> be called out more specifically than as a change to a class. Configs > > >>are a > > >> public interface we should be a bit more explicit. > > >> > > >> Was there any discussion about any auditing component? How would > anyone > > >> know if the authorization plugin was running for when or what it was > > >>doing? > > >> > > >> If we can't audit the access then what good is controlling the access? > > >> > > >> I still don't see where all the command line configuration options > come > > >>in. > > >> There are a lot of things to-do with it but not sure how to use it > yet. > > >> > > >> This plug-in still feels like a very specific case and we should try > to > > >> generalize it down some more to make it more straight forward for > folks. > > >> > > >> ~ Joestein > > >> > > >> On Thu, Apr 30, 2015 at 3:51 PM, Parth Brahmbhatt < > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > ><mailto:pbrahmbh...@hortonworks.com>> wrote: > > >> > > >> > During the discussion Jun pointed out that mirror maker, which right > > >>now > > >> > does not copy any zookeeper config overrides, will now replicate > > >>topics > > >> > but will not replicate any acls. Given the authorizer interface > > >>exposes > > >> > the acl management apis, list/get/add/remove, weproposed that mirror > > >> > maker can just instantiate an instance of authorizer and call these > > >>apis > > >> > directly to get acls for a topic and add it to the destination > > >>cluster if > > >> > we want to add acls to be replicated as part of mirror maker. > > >> > > > >> > Thanks > > >> > Parth > > >> > > > >> > On 4/30/15, 12:43 PM, "Joe Stein" <joe.stein@stealthly<mailto: > > >> joe.st...@stealth.ly<mailto:joe.st...@stealth.ly>>> wrote: > > >> > > > >> > >Parth, > > >> > > > > >> > >Can you explain how "Mirror maker will have to start using new acl > > >> > >management tool") and it not affect any other client. If you aren't > > >> > >changing the wire protocol then how do clients use it? > > >> > > > > >> > >~ Joe stein > > >> > > > > >> > > > > >> > >On Thu, Apr 30, 2015 at 3:15 PM, Parth Brahmbhatt < > > >> > >pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > ><mailto:pbrahmbh...@hortonworks.com>> > > >>wrote: > > >> > > > > >> > >> Hi Joe, > > >> > >> > > >> > >> Regarding open question: I changed the title to “Questions > resolved > > >> > >>after > > >> > >> community discussions” let me know if you have a better name. I > > >>have a > > >> > >> question and a bullet point under each question describing the > > >>final > > >> > >> decision. Not sure how can I make it any cleaner so appreciate > any > > >> > >> suggestion. > > >> > >> > > >> > >> Regarding system tests: I went through a bunch of KIP none of > which > > >> > >> mentions what test cases will be added. Do you want to add a “How > > >>do > > >> you > > >> > >> plan to tet” section in the general KIP template or you think > this > > >>is > > >> > >> just a special case where the test cases should be listed and > > >> discussed > > >> > >>as > > >> > >> part of KIP? I am not sure if KIP really is the right forum for > > >>this > > >> > >> discussion. This can easily be addressed during code review if > > >>people > > >> > >> think we don’t have enough test coverage. > > >> > >> > > >> > >> I am still not sure which part is not clear. The scal exception > is > > >> > >>added > > >> > >> for internal server side rpresentation. In the end all of our > > >> responses > > >> > >> always return just an error code for which we will add an > > >> > >> AuthorizationErroCode mapped to AuthorizationException. The error > > >>code > > >> > >>it > > >> > >> self will not reveal any informationother then the factthat you > > >>are > > >> > >>not > > >> > >> authorized to perform an operation on a resource and you will get > > >>this > > >> > >> error code even for non existent topics if no acls exist for > those > > >> > >>topics. > > >> > >> > > >> > >> can add a diagram if that makes things more clear, I am not > > >>convinced > > >> > >> its needed given we have come so far without it. Essentially > there > > >> are 3 > > >> > >> steps > > >> > >> * users use the acl cli to add acls to their > > >> > >>topics/groups/cluster > > >> > >> * brokers start with a broker config that specifies what > > >> > >>authorizer > > >> > >> iplementation to use. > > >> > >> * every api request first goes through the authorizer and > > >> fails > > >> > >>if > > >> > >> auhorizer denies it. (authorizer implementation described in the > > >>doc > > >> > >>with > > >> > >> pseudo code) > > >> > >> > > >> > >> Note: Authentication/Wire Encryption is a separate piece and is > > >>being > > >> > >> discussed actively in another KIP if that is the detail you are > > >> looking > > >> > >> for. > > >> > >> > > >> > >> I think the description under this section > > >> > >> > > >> > >> > > >> > > > >> > > >> > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+ > > >> > >>In > > >> > >> terface#KIP-11-AuthorizationInterface-DataFlows captures the > > >>internal > > >> > >> details. > > >> > >> > > >> > >> Thanks > > >> > >> Parth > > > > >> > > >> > >> On 4/30/15, 11:24 AM, "Joe Stein" <joe.st...@stealth.ly<mailto: > joe.st...@stealth.ly><mailto: > > >> joe.st...@stealth.ly<mailto:joe.st...@stealth.ly>>> wrote: > > >> > >> > > >> > >> >Gwen << regarding additional authorizers > > >> > >> > > > >> > >> >I think having these i the system tests duals as both good > > >>confidence > > >> > >>in > > >> > >> >language independency of the changes. It also makes sure that > > >>when we > > >> > >> >release that we don't go reaking Sentry or Ranger or anyone else > > >> that > > >> > >> >wants to integrate. > > >> > >> > > > >> > >> >Gwen << Regading "AuthorizationException > > >> > >> > > > >> > >> >Yeah so I have two issues. The one you raised yes, 100%. Also I > > >>don't > > >> > >> >unerstand how that is not a broker wire protocol response and > > >>only a > > >> > >>JVM > > >> > >> >exception. > > >> > >> > > > >> > >> >Jun << Could you elaborate on why we should not store JSON in > ZK? > > >>So > > >> > >>far, > > >> > >> >all existing ZK data are in JSON. > > >> >> > > > >> > >> >If I have 1,000,000 users in LDAP and 150 get access to Kafka > > >>topics > > >> > >> >through this mechanism then I have to go and parse and push all > > >>of my > > >> > >> >changes into zookeeper for it to take affect? > > >> > >> > > > >> > >> >If someone wanted to implement SAML I don't think this would > work. > > >> Not > > >> > >> >sure > > >> > >> >how it wold work with NiFi either (something around here I think > > >> maybe > > >> > >> > > > >> > >> > > >> > >> > > >> > > > >> > > >> > > > https://git-wip-us.apache.org/repos/asf?p=incubator-nifi.git;a=blob;f=nar > > >> > >>- > > >> > >> > > >> > > > >> > > > >>>>>bundles/framework-bundle/framework/web/web-security/src/main/java/org/ > > >>>>>ap > > >> > >>>ac > > >> > >> > > >> > > > >> > > > >>>>>he/nifi/web/security/authorization/NiFiAuthorizationService.java;hb=e6 > > >>>>>7e > > >> > >>>b4 > > >> > >> >f5>). > > >> > >> > > > >> > >> >Parth << All the open issues already have a esolution , I can > > >>open a > > >> > >>jira > > >> > >> >for each one and add the resolution to it and resolve them > > >> immediately > > >> > >>if > > >> > >> >you want thisfor tracking purposes. > > >> > >> > > > >> > >> >Are those inline to the question with the <li> <li> I idn't > quite > > >> get > > >> > >> >that > > >> > >> >section at all. If the open questions are answered then they > > >>aren't > > >> > >>open > > >> > >> >can you tidy that up then. > > >> > >> > > > >> > >> >Parth << We will update system tests to verify that the code > > >>works. > > >> We > > >> > >> >have thorough unit tests for all the new code except for > > >>modificaions > > >> > >> >made > > >> > >> >to KafkaAPI as that has way too many dependencies to be mocked > > >>which > > >> I > > >> > >> >guess is the reason for no existing unit tests. > > >> > >> > > > >> > >> >Can you update the KIP with some more detail about that please. > > >> > >> > > > >> > >> >Parth << I don’t know if I completely understand the concern. We > > >>have > > >> > >> >talked with Ranger team (Don Bosco Durai) so we at least have > one > > >> > >>custom > > >> > >> >authorizer implementation that as approved this design and they > > >>will > > >> be > > >> > >> >able to inject their authorization frmework with current > > >>interfaces. > > >> > >>Do > > >> > >> >you see any issue with the design which will prevent anyone frm > > >> > >>providing > > >> > >> >a custom implementation? > > >> > >> > > > >> > >> >Maybe a diagram for all of the different parts interacting. I > > >>still > > >> > >>don't > > >> > >> >get why there are no wire protocol changes and just change in > the > > >> JVM. > > >> > >> >What > > >> > >> >do non-jvm clients doand how do they work with Kafka. Very > > >>confusing, > > >> > >> >almost obfuscating. > > >> > >> > > > >> > >> >~ Joestein > > >> > >> > > > >> > >> > > > >> > >> >On Thu, Apr 30, 2015 at 1:14 PM, Gwen Shapira > > >><gshap...@cloudera.com<mailto:gshap...@cloudera.com> > > >> < mailto:gshap...@cloudera.com>> > > >> > >> wrote: > > >> > >> > > > >> > >> >> * Regarding additional authorizers: > > >> > >> >> Prasad, who is a PMC on Apache Sentry reviewed the design and > > >> > >>confirmed>> > Sentry can integrate with the current APIs. Dapeng > > >>Sun, a > > >> > committer on > > >> > >> >> Sentry had some concerns about the IP privileges and how we > > >> > >>prioritize > > >> > >> >> privileges - but nothing that prevents Sentry from integrating > > >>with > > >> > >>the > > >> > >> >> existing solution, from what I could see. It seems to me that > > >>the > > >> > >> >>design is > > >> > >> >> very generic and adapters can be written for other > authorization > > >> > >>systems > > >> > >> >> (after al, you just need to implement setACL, getACL and > > >> Authorize - > > >> > >> >>all > > >> > >> >> pretty basic), although I can't speak for Oracle's Identity > > >>Manager > > >> > >> >> specifically. > > >> > > >> > > >> > >> >> * Regarding "AuthorizationException to indicate that an > > >>operation > > >> was > > >> > >> >>not > > >> > >> >> authorized": Sorry I missed this in previous reviewed, but now > > >> that I > > >> > >> >>look > > >> > >> >> at it - Many systems intentionally don't return > > >> > >>AuthorizationException > > >> > >> >>when > > >> > >> >> READ privilege is missing, since this already gives too much > > >> > >>information > > >> > >> >> (that the tpic exists and that you don't have privileges on > it). > > >> > >> >>Instead > > >> > >> >> they return a variant of "doesn't exist". I'm wondering if > this > > >> > >> >>approach is > > >> > >> >> applicable / desirable for Kafka as well. > > >> > >> >> Note that this doesn't remove the need for > > >>AuthorizationException - > > >> > >>I'm > > >> > >> >> just suggesting a possile refinement on its use. > > >> > >> >> > > >> > >> >> Gwen > > >> > >> >> > > >> > >> >> > > >> > >> >> > > >> > >> >> On Thu, Apr 30, 2015 at 9:52 AM, Parth Brahmbhatt < > > >> > >> >> pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto:pbrahmbh...@hortonworks.com > > >> > > >> wrote: > > >> > >> >> > > >> > >> >> > Hi Joe, Thanks for taking the time to review. > > >> > >> >> > > > >> > >> >> > * All the open issues already have a resolution , I can > open a > > >> jia > > >> > >> >>for > > >> > >> >> > each one and add the resolution to it and resolve them > > >> immediaely > > >> > >>if > > >> > >> >>you > > >> > >> >> > want this for tracking purposes. > > >> > >> >> > * We will update system tests to verify that the code works. > > >>We > > >> > >>have > > >> > >> >> > thorough unit tests for all the new coe except for > > >>modifications > > >> > >> >>made to > > >> > >> >> > KafkaAPI as that has watoo many dependencies to be mocked > > >>which I > > >> > > >>guess > > >> > >> >> > is the reason for no existing unit tests. > > >> > >> >> > * I don’t know if I completely understand theconcern. We > have > > >> > >>talked > > >> > >> >> with > > >> > >> >> > Ranger team (Don Bosco Durai) so we at least have one custom > > >> > >> >>authorizer > > >> > >> >> > implementation that has approved this design and they will > be > > >> able > > >> > >>to > > >> > >> >> > inject their authorization framewrk with current interfaces. > > >>Do > > >> you > > >> > >> >>see > > >> > >> >> > any issue with the design which will prevent anyone from > > >> providing > > >> > >>a > > >> > >> >> > custom implementation? > > >> > >> >> > * Did not understand the concern around wire protocol, we > are > > >> > >>adding > > >> > >> >> > AuthorizationException to indicate that an operation was not > > >> > >> >>authorized. > > >> > >> >> > > > >> > >> >> > Thanks > > >> > >> >> > Parth > > >> > >> >> > > > >> > >> >> > On 4/30/15, 5:59 AM, "Jun Rao" <j...@confluent.io<mailto: > j...@confluent.io><mailto: > > >> j...@confluent.io<mailto:j...@confluent.io>>> wrote: > > >> > >> >> > > > >> > >> >> > >Joe, > > >> > >> >> > > > > >> > >> >> > >Could you elaborate on why we should not store JSON in ZK? > So > > >> far, > > >> > >> >>all > > >> > >> >> > >existing ZK data are in JSON. > > >> > >> >> > > > > >> > >> >> > >Thanks, > > >> > >> >> > > > > >> > >> >> > >Jun > > >> > >> >> > > > > >> > >> >> > >On Thu, Apr 30, 2015 at 2:06 AM, Joe Stein < > > >> joe.st...@stealth.ly<mailto:joe.st...@stealth.ly><mailto: > joe.st...@stealth.ly>> > > >> > >> >> wrote: > > >> > >> >> > > > > >> > >> >> > >> Hi, sorry I am coming in late to chime back in on this > > >>thread > > >> > >>and > > >> > >> >> >>haven't > > >> > >> >> > >> been able to make the KIP hangouts the last few weeks. > > >>Sorry > > >> if > > >> > >> >>any of > > >> > >> >> > >>this > > >> > >> >> > >> wasbrought up already or I missed it. > > >> > >> >> > >> > > >> > >> >> > >> I read through the KIP and the thread(s) and a couple of > > >> things > > >> > >> >>jumped > > >> > >> >> > >>out. > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> - Can we break out the open issues in JIRA (maybe > during > > >> the > > >> > >> >> hangout) > > >> > >> >> > >> that are in the KIP and resolve/flesh those out more? > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> - I don't see any updates with the systems test or how > > >>we > > >> can > > >> > >> >>know > > >> > >> >> > >>the > > >> > >> >> > >> code works. > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> - We need some implementation/example/sample that we > > >>knw > > >> can > > >> > >> >>work > > >> > >> >> in > > >> > >> >> > >> all diffeent existing entitlement servers and not just > > >>ones > > >> > >> >>that > > >> > >> >> > >>run in > > >> > >> >> > >> types of data centers too. I am not saying we should > > >> support > > >> > >> >> > >>everything > > >> > >> >> > >> but > > >> > >> >> > >> if someone had to implement > > >> > >> >> > >> > > >> > >> https://docs.oracle.com/cd/E19225-01/820-6551/bzafm/index.html > > >> > >> >> with > > >> > >> >> > >> Kafka it has to work for them out of the box. > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> - We should shy away from storing JSON in Zookeeper. > > >>Lets > > >> > >>store > > >> > >> >> > >>byes in > > >> > >> >> > >> Storage. > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> - We should spend some time thinking through > exceptions > > >>in > > >> > >>the > > >> > >> >>wire > > >> > >> >> > >> protocol maybe as part of this so it can keep moving > > >> forward. > > >> > >> >> > >> > > >> > >> >> > >> > > >> > >> >> > >> ~ Joe Stein > > >> > >> >> > >> > > >> > >> >> > >> On Tue, Apr 28, 2015 at 3:33 AM, Sun, Dapeng > > >> > >><dapeng....@intel.com<mailto:dapeng....@intel.com><mailto: > dapeng....@intel.com> > > >> > >> > > > >> > >> >> > >>wrote: > > >> > >> >> > >> > > >> > >> >> > >> > Thank you for your reply, Gwen. > > >> > >> >> > >> > > > >> > >> >>> >> > >1. Complex rule systems can be difficult to reason > about > > >> and > > >> > >> >> > >>therefore > > >> > >> >> > >> > end up being less secure. The rule "Deny always wins" > > is>> very > > >> > >> >>easy > > >> > >> >> to > > >> > >> >> > >> grasp. > > >> > >> >> > >> > Yes, I'm agreed with your point: we should not make the > > >>rule > > >> > >> >> complex. > > >> > >> >> > >> > > > >> > >> >> > >> > >2. We currently don't have any mechanism for > specifying > > >>IP > > >> > >> >>ranges > > >> > >> >> (or > > >> > >> >> > >> host > > >> > >> >> > >> > >ranges) at all. I think its a pretty significant > > >> deficiency, > > >> > >> >>but it > > >> > >> >> > >>does > > >> > >> >> > >> > mean that we don't need to worry about the issue of > > >> blocking a > > >> > >> >>large > > >> > >> >> > >> range > > >> > >> >> > >> > while unblocking few servers in the range. > > >> > >> >> > >> > Support ranges sounds reasonable. If this feature will > > >>be in > > >> > >> >> > >>development > > >> > >> >> > >> > plan, I also don't think we can put "the best matching > > >>acl" > > >> > >>and " > > >> > >> >> > >>Support > > >> > >> >> > >> > ip ranges" together. > > >> > >> >> > >> > > > >> > >> >> > >> > >We have a call tomorrow (Tuesday, April 28) at 3pm PST > > >>- to > > >> > >> >>discuss > > >> > >> >> > >>this > > >> > >> >> > >> > and other outstanding design issues (not all related to > > >> > >> >>security). > > >> > >> >> If > > >> > >> >> > >>you > > >> > >> >> > >> > are interested in joining - let m know and I'll forward > > >>you > > >> > >>the > > >> > >> >> > >>invite. > > >> > >> >> > >> > Thank you, Gwen. I have the invite and I should be at > > >>home > > >> at > > >> > >> >>that > > >> > >> >> > >>time. > > >> > >> >> > >> > But due to network issue, I may can't join the meeting > > >> > >>smoothly. > > >> > >> >> > >> > > > >> > >> >> > >> > Regard > > >> > >> >> > >> > Dapeng > > >> > >> > > >> > > > >> > >> >> > >> > -----Original Message----- > > >> > >> >> > >> > From: Gwen Shapira [ mailto:gshap...@cloudera.com] > > >> > >> >> > >> > Sent: Tuesday, April 28, 2015 1:31 PM > > >> > >> >> > >> > To: dev@kafka.apache.org<mailto:dev@kafka.apache.org > ><mailto:dev@kafka.apache.org> > > >> > >> >> > >> > Subject: Re [VOTE] KIP-11- Authorization design for > kafka > > >> > >> >>security > > >> > >> >> > >> > > > >> > >> >> > >> > While I see the advantage of being able to say > something > > >> like: > > >> > >> >>"deny > > >> > >> >> > >>user > > >> > >> >> > >> > X from hosts h1...h200" also "allow user X from host > > >>h19", > > >> > >>there > > >> > >> >> are > > >> > >> >> > >>two > > >> > >> >> > >> > issues here: > > >> > >> >> > >> > > > >> > >> >> >>> > 1. Complex rule systems can be difficult to reason about > > >>and > > >> > >> >> therefore > > >> > >> >> > >> end > > >> > >> >> > >> > up being less secure. The rule "Deny always wis" is > very > > >> > >>easy to > > >> > >> >> > >>grasp. > > >> > >> >> > >> > > > >> > >> >> > >> > 2. We currently don't have any mechanism for specifying > > >>IP > > >> > >>ranges > > >> > >> >> (or > > >> > >> >> > >> host > > >> > >> >> > >> > ranges) at all. I think its a pretty significant > > >>deficiency, > > >> > >>but > > >> > >> >>it > > >> > > >> > >>does > > >> > >> >> > >> > mean that we don't need to worry about the issue of > > >> blocking a > > >> > >> >>large > > >> > >> >> > >> range > > >> > >> >> > >> > while unblocking few servers in the range. > > >> > >> >> > >> > > > >> > >> >> > >> > Gwen > > >> > >> >> > >> > > > >> > >> >> > >> > P.S > > >> > >> >> > >> > W have a call tomorrow (Tuesday, April 28) at 3pm PST - > > >>to > > >> > >> >>discuss > > >> > >> >> > >>this > > >> > >> >> > >> > and other outstanding design issues (not all related to > > >> > >> >>security). > > >> > >> >> If > > >> > >> >> > >>you > > >> > >> >> > >> > are interested in joining - let me know and I'll > forward > > >>you > > >> > >>the > > >> > >> >> > >>invite. > > >> > >> >> > >> > > > >> > >> >> > >> > Gwen > > >> > >> >> > >> > > > >> > >> >> > >> > On Mon, Ap 27, 2015 at 10:15 PM, Sun, Dapeng > > >> > >> >><dapeng....@intel.com<mailto:dapeng....@intel.com><mailto: > dapeng....@intel.com> > > >> > >> >> > > > >> > >> >> > >> > wrote: > > >> > >> >> > >> > > > >> > >> >> > >> > > Attah the image. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > > > >> > >> > > >> > >>>>>> > > >> > > https://raw.githubusercontent.com/sundapeng/attachment/master/kafka-a > > >> > >>>>>>c > > >> > >> >> > >> > > l1.png > > >> > >> >> > >> > > > > >> > >> >> > >> > > Regards > > >> > >> >> > >> > > Dapeng > > >> > >> >> > >> > > > > >> > >> >> > >> > > From: Sun, Dapeng [ mailto:dapeng....@intel.com] > > >> > >> >> > >> > > Sent: Tuesday, April 28, 2015 11:44 AM > > >> > >> >> > >> > > To: dev@kafka.apache.org<mailto:dev@kafka.apache.org > ><mailto:dev@kafka.apache.org> > > >> > >> >> > > > > Subject: RE: [VOTE] KIP-11- Authorization design for > > >>kafka > > >> > >> >> security > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > Thank you for your rapid reply, Parth. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >* I think the wiki already describes the precedence > > >>order > > >> > >>as > > >> > >> >>Deny > > >> > >> >> > >> > > >taking > > > > >> >> > >> > > precedence over allow when conflicting acls are found > > >> > >> >> > >> > > > > >> > >> >> > > > >> > >> > > >> > >>>>>> > > >> > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizat > > >> > >>>>>>i > > >> > >> >> > >>> > on+In > > >> > >> >> > >> > > > > >> > >> >> > >> > > >terface#KIP-11-AuthorizationInterface-PermissionType > > >> > >> >> > >> > > > > >> > >> >> > >> > > Got it, thank you. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >* In the first version that I am currently writing > > >>there > > >> > >>is no > > >> > >> >> > >>group > > >> > >> >> > >> > > support. Even when we add it I don't see the need to > > >>add a > > >> > >> >> > >>precedence > > >> > >> >> > >> > > for evaluation. it does not matter which principal > > >>matches > > >> > >>as > > >> > >> >>long > > >> > >> >> > >>as > > >> > >> >> > >> > > > > >> > >> >> > >> > > > we have a match. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > About this part, I think we should choose the best > > >> matching > > >> > >>acl > > >> > >> >> for > > >> > >> >> > >> > > authorization, no mater we support group or not. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > > >> > >> > > > > >> > >> >> > >> > > For the case > > >> > >> >> > >> > > > > >> > >> >> > >> > > [cid:image001.png@01D08197.E94BD410] > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > > > >> > >> > > >> > >>>>>> > > >> > > https://raw.githubusercontent.com/sundapeng/attachment/master/kafka-a > > >> > >>>>>>c > > >> > >> >> > >> > > l1.png > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > if 2 Acls are define, one that deny an operation from > > >>all > > >> > >> >>hosts > > >> > >> >> and > > >> > >> >> > >> > > one that allows the operation from host1, the > operation > > >> from > > >> > >> >>host1 > > >> > >> >> > >> > > will be denied or allowed? > > >> > >> >> > >> > > > > >> > >> >> > >> > > According wiki "Deny will take precedence over Allow > in > > >> > >> >>competing > > >> > >> > > >> > > acls.", it seems acl_1 will win the competition, but > > >> > >>customers' > > >> > >> >> > >> > > intention may be "allow". > > >> > >> >> > >> > > > > >> > >> >> > >> > > I think "deny always take precedence over Allow" is > > >>okay, > > >> > >>but > > >> > >> >> > >>"host1 > > >> > >> >> > >> > > -> user1" > "host1 " > "default" may make sense. > > >> > >> >> > >> > > > > >> > >> > > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >* Acl storage is indexed by resource right now > because > > >> > >>that is > > >> > >> >> the > > >> > >> >> > >> > > primary lookup id for all authorize operations. Given > > >>acls > > >> > >>are > > >> > >> >> > >>cached > > >> > >> >> > >> > > I don't see the need to optimized the storage layer > any > > >> > >>further > > >> > >> >> for > > >> > >> >> > >> > lookup. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >* The reason why we have acl with multi everything > is > > >>to > > >> > >> >>reduce > > >> > >> >> > >> > > redundancy in acl storage. I am not sure how wil we > be > > >> able > > >> > >>to > > >> > >> >> > >>reduce > > >> > >> >> > >> > > redundancy if we divide it by using one principal,one > > >> host, > > >> > >>one > > >> > >> >> > >> > peration. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >>>> > >> > > > > >> > >> >> > >> > > Yes, I'm also greed with "Acl storage should be > > >>indexed by > > >> > >> >> > >>resource". > > >> > >> >> > >> > > Under resource index, it may be better to add index > > >>such > > >> as > > >> > >> >>hosts > > >> > >> >> > >>and > > >> > >> >> > >> > > principals. One option may be one principal, one > host, > > >>one > > >> > >> >> > >>operation. > > >> > >> >> > >> > > Jut gie your these scenarios for considering. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > For the case defined in wiki:>> > >> > > > > >> > >> >> > >> > > Acl_1 -> {"user:bob", "user:*"} is allowed to READ > from > > >> all > > >> > >> >>hosts. > > >> > >> >> > >> > > > > >> > >> >> > >> > > Acl_2 -> {"user:bob"} is denied to READ from host1 > > >> > >> >> > >> > > > > >> > >> >> > >> > > Acl_3 -> {"user:alice", "group:kafka-devs"} is > allowed > > >>to > > >> > >>READ > > >> > >> >>and > > >> > >> >> > >> > > WRITE from {host1, hos2}. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > For acl_3, if we want to remove alice's WRITE from > > >> > >> >>{host1,host2} > > >> > >> >> and > > >> > > >> > >> > > remove alice's READ from host1, user may have > following > > >> > >>ways to > > >> > >> >> > >> achieve: > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > 1.Remove the parts of acl_3 directly, I think if we > > >>make > > >> it > > >> > >> >> divided > > >> > >> >> > >> > > and hierarchical, this kind of operatons could be > done > > >> > >> >>directly > > >> > >> >> in > > >> > >> >> > >> > backend. > > >> > >> >> > >> > >>> > >> >> > >> > > 2.Remove acl_3, and add new acl > > {"group:kafka-devs"} is > > >> > >> >>allowed to > > >> > >> >> > >> > > READ and WRITE from {host1, host2} and {"user:alice" > } > > >>s > > >> > >> >>allowed > > >> > >> >> to > > >> > >> >> > >> > > READ from {host2} > > >> > >> >> > >> > > > > >> > >> >> > >> > > 3.Add two denied acls,{ user:alice} is denied to > WRITE > > >> from > > >> > >> >> > >> > > {host1,host2} and { user:alice} is denied to READ > from > > >> > >>{host1} > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > All these can achieve this kind of operations, but I > > >> think 1 > > >> > >> >>could > > >> > >> >> > >> > > more directly for user operations. If you think this > > >> > >> >>optimization > > >> > >> >> is > > >> > >> >> > >> > > not urgent, I'm also agreed. > > >> > >> >> > >> > > > > >> > >> >> >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > Regards > > >> > >> >> > >> > > > > >> > >> >> > >> > > Dapeng > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > -----Original Message----- > > >> > >> >> > >> > > > > >> > >> >> > >> > > From: Parth Brahmhatt [ mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com>] > > >> > >> >> > >> > > > > >> > >> >> > >> > > Sent: Tuesday, April 28, 2015 12:18 AM > > >> > >> >> > >> > > > > >> > >> >> > >> > > To: dev@kafka.apache.org<mailto:dev@kafka.apache.org > ><mailto:dev@kafka.apache.org>< > > >> milto:dev@kafka.apache.org<http://kafka.apache.org>< > http://kafka.apache.org>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > Subject: Re: [VOTE] KIP-11- Authorization design for > > >>kafka > > >> > >>>> security > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > Hi Sun, thanks for the comments, my answers are > below: > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > * I think the wiki already describes the precedence > > >>oder > > >> as > > >> > >> >>Deny > > >> > >> >> > >> > > taking precedence over allow when conflicting acls > are > > >> found > > >> > >> >> > >> > > > > >> > >> >> > > > >> > >> > > >> > >>>>>> > > >> > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizat > > >> > >>>>>>i > > >> > >> >> > >> > > on+In > > >> > >> >> > >> > > > >> > >> >> > >> > > terface#KP-11-AuthorizationInterface-PermissionType > > >> > >> >> > >> > > > > >> > >> >> > >> > > * In the first version that I am currently writing > > >>there > > >> is > > >> > >>no > > >> > >> >> group > > >> > >> >> > >> > > support Even when we add it I don't see the need to > > >>add a > > >> > >> >> > >>precedence > > >> > >> >> > >> > > for evaluation. it does not matter which principal > > >>matches > > >> > >>as > > >> > >> >>long > > >> > >> >> > >>as > > >> > >> >> > >> > > we have a match. > > >> > >> >> > >> > > > > >> > >> >> > >> > > * Acl storage is indexed by resource right now > because > > >> that > > >> > >>is > > >> > >> >the > > >> > >> >> > >> > > primary lookup id for allauthorize operations. Given > > >>acl > > >> > >>are > > >> > >> >> > >>cached > > >> > >> >> > >> > > I don't see the need to optimized the storage layer > any > > >> > >>further > > >> > >> >> for > > >> > >> >> > >> > lookup. > > >> > >> >> > >> > > > > >> > >> >> > >> > > * The reason why we have acl with multi everything is > > >>to > > >> > >>reduce > > >> > >> >> > >> > > redundancy in acl storage. I am not sure how will we > be > > >> > >>able to > > >> > >> >> > >>reduce > > >> > >> >> > >> > > redundancy if we divide it by using one principal,one > > >> host, > > >> > >>one > > >> > >> >> > >> > operation. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > On 4/26/15, 8:06 PM, "Sun, Dapeng" > > >> > >>>><dapeng....@intel.com<mailto:dapeng....@intel.com><mailto: > dapeng....@intel.com><mailto: > > >> > >> >> > >> > > dapeng....@intel.com<mailto:dapeng....@intel.com > ><mailto:dapeng....@intel.com>>> > > >> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >Hi Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> >>> > > > > >> > >> >> > >> > > >The design looks good, a few minor comments below. > > >>Since > > >> I > > >> > >> >>just > > >> > >> >> > >> > > >started > > >> > >> >> > >> > > > > >> > >> >>> >> > > >looking into the discussion and many previous > > >>discussions > > >> I > > >> > >> >>may > > >> > >> >> > >> > > >missed, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >I'm sorry if these comments had be discussed. > > >> > >> >>> >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >1. About SimleAclAuthorizer (SimpleAuthorizer): > > >> > >> >> > >> > > > > >> > >> >> > >> > > >a. As my understanding, I think there should only > one > > >> type > > >> > >> >> > >> > > > > >> > >> >> > >> > > >privilege(allow/deny) of a topic on a principle, or > we > > >> > >>make it > > >> > >> >> > >>deny > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >allow. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >For example, acl_1 " host1 -> group1-> user1 -> > > >> > >>read->allow" > > >> > >> >>and > > >> > >> >> > >> acl_2 " > > >> > >> >> > >> > > > > >> > >> >> > >> > > >host1-> group1 -> usr1 ->read->deny", if the two > acls > > >>are > > >> > >> >>for a > > >> > >> >> > >>same > > >> > >> >> > >> > > > > >> > >> >> > >> > > >topic, it may be hard to understand, do you think > it's > > >> > >> >>necessary > > >> > >> >> to > > >> > >> >> > >> > > >add > > >> > >> >> > >> > > > > >> > >> >> > >> > > >some details about this to wiki. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >b. And when we do authorize a user on a topic, we > may > > >> > >>should > > >> > >> >> check > > >> > >> >> > >> > > > > >> > >> >> > >> > > >user's user level acl first, then check user's group > > >> level > > >> > > >>acl, > > >> > >> >> > >> > > >finally > > >> > >> >> > >> > > > > >> > >> >> > >> > > >we check the host level and default level acl. do > you > > >> think > > >> > >> >>it's > > >> > >> >> > >> > > > > >> > >> >> > >> > > >necessary we add some contents like these to wiki. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >For example, "host1 -> group1-> user1" > "host1 -> > > >> > >>group1" > > >> > >> >>> > > >> > >> >> > >> "host1" > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >2.About SimpleAclAuthorizer (Acl Json will be stored > > >>in > > >> > >> >> zookeeper) > > >> > >> >> > >>a. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >It may be better to make acl json stored > hierarchily. > > >>It > > >> > >>may > > >> > >> >>be > > >> > >> >> > >>easy > > >> > >> >> > >> > > >to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >search and do authorize. For example, when we > > >>authorize a > > >> > >> >>user, > > >> > >> >> we > > >> > >> >> > >> > > >only > > >> > >> >> > >> > > > > >> > >> >> > >> > > >need user related acls. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >b. I found one acl may contains multi-principles, > > >> > >> >> multi-operations > > >> > >> >> > >> > > >and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >multi-hosts, I'm strongly agreed with we provide api > > >>like > > >> > >> >>these, > > >> > >> >> > >>but > > >> > >> >> > >> > > > > >> > >> >> > >> > > >the acls stored in zookeepr or memory we may better > to > > >> > >> >>separate > > >> > >> >> to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >one-principle, one-operation and one host. So we > could > > >> make > > >> > >> >>sure > > >> > >> >> > >> > > >there > > >> > >> >> > >> > > > > >> > >> >> > >> > > >are not many acls with same meaning and make acl > > >> management > > >> > >> >> easily. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >Regard > > >> > >> >> > >> > > > > >> > >> >> > >> > > >Dapeng > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >-----Original Message----- > > >> > >> >> > >> > > > > >> > >> >> > >> > > >From: Jun Rao [ mailto:j...@confluent.io] > > >> > >> >> > >> > > > > >> > >> >> > >> > > >Sent: Monday, April 27, 2015 5:02 AM > > >> > >> >> > >> > > > > >> > >> >> > >> > > >To: dev@kafka.apache.org<mailto: > dev@kafka.apache.org><mailto:dev@kafka.apache.org > > >> >< mailto:dev@kafka.apache.org> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >Subject: Re: [VOTE] KIP-11- Authorization design for > > >> kafka > > >> > >> >> security > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >A few more minor comments. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >100. To make it cear, perhaps we should rename the > > >> > >>resource > > >> > >> >> > >>"group" > > >> > >> >> > >> > > >to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >consumer-group. We can probably make the same change > > >>in > > >> > >>CLI as > > >> > >> >> well > > >> > >> >> > >> > > >so > > >> > >> >> > >> > > > > >> > >> >> > >> > > >that it's not confused with user group. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >101. Currently, create is only at the cluster level. > > >> > >>Should it > > >> > >> >> also > > >> > >> >> > >> > > >be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >at topic level? For example, perhaps it's useful to > > >>allow > > >> > >>only > > >> > >> >> > >>user X > > >> > >> >> > >> > > > > >> > >> >> > >> > > >to create topic X. > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >Thanks, > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >Jun > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >On Sun, Apr 26, 2015 at 12:36 AM, Gwen Shapira > > >> > >> >> > >><gshap...@cloudera.com<mailto:gshap...@cloudera.com > ><mailto:gshap...@cloudera.com> > > >> > >> >> > >> > > < mailto:gshap...@cloudera.com>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> Thanks for clarifying, Parth. I think you are > taking > > >> the > > >> > >> >>right > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> approach here. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> On Fri, Apr 24, 2015 at 11:46 AM, Parth Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> <pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto: > > >> > >> >> pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto:pbrahmbh...@hortonworks.com> > > >> > >> >> > >> > > >> > >> >> > >> > > wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > Sorry Gwen, completely misunderstood the > question > > >> :-). > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > * Does everyone have the privilege to create a > new > > >> > >>Group > > >> > >> >>and > > >> > >> >> > >>use > > >> > >> >> > >> > > >> > it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > to consume from Topics he's already privileged > on? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > Yes in current proposal. I did not see > an > > >>API > > >> > >>to > > >> > >> >> create > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > group > > >> > >> >> > >> >> > > >> > >> >> > >> > > >> but if you > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > have a READ permission on a TOPIC and WRITE > > >> permission > > >> > >>on > > >> > >> >> that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > Group you are free to join and consume. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > * Will the CLI tool be used to manage group > > >> membership > > >> > >> >>too? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > Yes and I think that means I need to add > > >> > >>?group. > > >> > >> >> > >>Updating > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> KIP. Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > for pointing this out. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > * Groups are kind of ephemeral, right? If all > > >> > >>consumers in > > >> > >> >> the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > group disconnect the group is gone, AFAIK. Do we > > >> > >>preserve > > >> > >> >>the > > >> > >> >> > >> ACLs? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > Or do we treat the new group as completely new > > >> > >>resource? > > >> > >> >>Can > > >> > >> >> we > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > create ACLs before the group exists, in > > >>anticipation > > >> > >>of it > > >> > >> >> > >> > > >> > getting > > >> > >> >> > >> > > created? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > I have considered any auto delete and > auto > > >> > >>create > > >> > >> >>as > > >> > >> >> > >>out > > >> > >> >> > >> > > >> > of > > >> > >> >> > >> > >>> >> > >> > > >> scope for the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > first release. So Right now I was going with > > >> preserving > > >> > >> >>the > > >> > >> >> > >>acls. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > Do you see any issues with this? Auto deleting > > >>would > > >> > >>mean > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > authorizer will now have to get into > > >>implementation > > >> > >> >>details > > >> > >> >> of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > kafka which I was trying to avoid. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > On 4/24/15, 11:33 AM, "Gwen Shapira" > > >> > >> >><gshap...@cloudera.com<mailto:gshap...@cloudera.com><mailto: > gshap...@cloudera.com> > > >> > >> >> > >> <mailto: > > >> > >> >> > >> > > gshap...@cloudera.com<mailto:gshap...@cloudera.com > ><mailto:gshap...@cloudera.com>>> > > >> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>We are not talking about same Groups :) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>I meant, Groups of consumers (which KIP-11 lists > > >>as a > > >> > >> >> separate > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>resource in the Privilege table) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>On Fri, Apr 24, 2015 at 11:31 AM, Parth > Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > >>>>>><pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto:pbrahmbh...@hortonworks.com > > >> >< mailto:pbrahmbh...@hortonworks.com>> > > >> > >> >> > >> > > wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> I see Groups as something we can add > > >>incrementally > > >> in > > >> > >> >>the > > >> > >> >> > >> > > >> >>> current > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> model. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> The acls take principalType: name so groups > can > > >>be > > >> > >> >> > >>represented > > >> > >> >> > >> > > >> >>> as > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> group: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> groupName. We are not managing group > memberships > > >> > >> >>anywhere > > >> > >> >> in > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> kafka and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> don't see the need to do so. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> So for a topic1 using the CLI an admin can add > > >>an > > >> > >>acl to > > >> > >> >> > >>grant > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> access > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> group:kafka-test-users. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> The authorizer implementation can have a > plugin > > >>to > > >> > >>map > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>authenticated user to groups ( This is how > > >>hadoop > > >> and > > >> > >> >>storm > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>works). The plugin could be mapping user to > > >> > >> >> linux/ldap/active > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>directory groups but that is again upto the > > >> > >> >>implementation. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> What we are offering is an interface tht is > > >> > >>extensible > > >> > >> >>so > > >> > >> >> > >> > > >> >>> these > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>features can be added incrementally. I can add > > >> > >>support > > >> > >> >>for > > >> > >> >> > >>this > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>in the first release but don't necessarily see > > >>why > > >> > >>this > > >> > >> >> would > > >> > >> >> > >> > > >> >>>be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>absolute necessity. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> On 4/24/15, 11:00 AM, "Gwen Shapira" < > > >> > >> >> gshap...@cloudera.com<mailto:gshap...@cloudera.com><mailto: > gshap...@cloudera.com> > > >> > >> >> > >> > <mailto: > > >> > >> >> > >> > > gshap...@cloudera.com<mailto:gshap...@cloudera.com > ><mailto:gshap...@cloudera.com>>> > > >> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>Thanks. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>One more thing I'm missing in the KIP is > > >>details on > > >> > >>the > > >> > >> >> Group > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>resource (I think we discussed this and it was > > >>just > > >> > >>not > > >> > >> >> fully > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>updated): > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>* Does everyone have the privilege to create a > > >>new > > >> > >>Group > > >> > >> >> and > > >> > >> >> > >> > > >> >>>>use > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>it to consume from Topics he's already > > >>privileged > > >> on? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>* Will the CLI tool be used to manage group > > >> > >>membership > > >> > >> >>too? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>* Groups are kind of ephemeral, right? If all > > >> > >>consumers > > >> > >> >>in > > >> > >> >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>group disconnect the group is gone, AFAIK. Do > we > > >> > >> >>preserve > > >> > >> >> the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>ACLs? Or do we treat the new group as > completely > > >> new > > >> > >> >> > >>resource? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>Can we create ACLs before the group exists, in > > >> > >> >>anticipation > > >> > >> >> > >>of > > >> > >> >> > >> > > >> >>>>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>getting created? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>Its all small details, but it will be > difficult > > >>to > > >> > >> >> implement > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>KIP-11 without knowing the answers :) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>Gwen > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>On Fri, Apr 24, 2015 at 9:58 AM, Parth > > >>Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > > > >>>>>>>>>><pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto:pbrahmbh...@hortonworks.com > > >> >< mailto:pbrahmbh...@hortonworks.com > > >> > >> >> > >> > > >> >>>>>> > > >> > >> >> > >> > > wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>> You are right, moved it to the default > > >> > >>implementation > > >> > >> >> > >>section. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>> Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>> Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>> On 4/24/15, 9:52 AM, "Gwen Shapira" < > > >> > >> >> gshap...@cloudera.com<mailto:gshap...@cloudera.com><mailto: > gshap...@cloudera.com> > > >> > >> >> > >> > > < mailto:gshap...@cloudera.com>> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>Sample ACL JSON and Zookeeper is in public > > >>API, > > >> > >>but I > > >> > >> >> > >>thought > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>it is part of DefaultAuthorizer (Since > Sentry > > >>and > > >> > >> >>Argus > > >> > >> >> > >>won't > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>be using Zookeeper). > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>Am I wrong? Or is it the KIP? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>On Fri, Apr 24, 2015 at 9:49 AM, Parth > > >>Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > >>>>>>>>>><pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto:pbrahmbhatt@hortonworks.c > > >> > >> >> > >> > > >> >>>>>>om>> > > >> > >> >> > >> > > wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> Thanks for clarifying Gwen, KIP updated. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> I tried to make the distinction by > creating > > >>a > > >> > >> >>section > > >> > >> >> for > > >> > >> >> > >> > > >> >>>>>>> all > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> public > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>APIs > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > >>>> > > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authoriz > > >> > >> >> > >> > > >> at > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>io > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>n+ > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>In > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > > > >>>>>>>>>>>>>terface#KIP-11-AuthorizationInterface-PublicInterfacesandcla > > >> > >> >> > >> > > >> >>>>>>>ss > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>e > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>s > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> Let me know if you think there is a better > > >>way > > >> to > > >> > >> >> reflect > > >> > >> >> > >> > this. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> On 4/24/15, 9:37 AM, "Gwen Shapira" > > >> > >> >> > >><gshap...@cloudera.com<mailto:gshap...@cloudera.com > ><mailto:gshap...@cloudera.com> > > >> > >> >> > >> > > < mailto:gshap...@cloudera.com>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>+1 (non-binding) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>Two nitpicks for the wiki: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>* Heartbeat is probably a READ and not > > >>CLUSTER > > >> > >> >> operation. > > >> > >> >> > >> > > >> >>>>>>>>I'm > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> pretty > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>sure new consumers need it to be part of a > > >> > >>consumer > > >> > >> >> > >>group. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>* Can you clearly separate which parts are > > >>the > > >> > >>API > > >> > >> >> > >>(common > > >> > >> >> > >> > > >> >>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>every > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>Authorizer) and which parts are > > >> DefaultAuthorizer > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>implementation? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> It > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>will make reviews and Authorizer > > >> implementations > > >> > >>a > > >> > >> >>bit > > >> > >> >> > >> > > >> >>>>>>>>easier > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>to know exactly which is which. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>Gwen > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>On Fri, Apr 24, 2015 at 9:28 AM, Parth > > >> Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > >>>>>>>>>>>><pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto:pbrahmbhatt@hortonworks > > >> > >> >> > >> > > >> >>>>>>>>.com>> > > >> > >> >> > >> > > wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> Hi, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> I would like to open KIP-11 for voting. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> On 4/22/15, 1:56 PM, "Parth Brahmbhatt" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>><pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto: > > >> > >> >> > >> > > pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>Hi Jeff, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>Thanks a lot for the review. I think you > > >> have a > > >> > >> >>valid > > >> > >> >> > >> > > >> >>>>>>>>>>point > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>about acls being duplicated and the > > >>simplest > > >> > >> >>solution > > >> > >> >> > >> > > >> >>>>>>>>>>would > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>be to modify > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> acls > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>class > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>so they hold a set of principals instead > > >>of > > >> > >>single > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>principal. i.e > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>><user_a,user_b> has > <READ,WRITE,DESCRIBE> > > >> > >> >>Permissions > > >> > >> >> > >>on > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>><Topic1> from <Host1, Host2, Host3>. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>I think the evaluation order only > matters > > >>for > > >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>permissionType which is Deny acls should > > >>be > > >> > >> >>evaluated > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>before allow acls. To give you an > example > > >> > >>suppose > > >> > >> >>we > > >> > >> >> > >>have > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>following acls > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>acl1 -> user1 is allowed to READ from > all > > >> > >>hosts. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>acl2 -> host1 is allowed to READ > > >>regardless > > >> of > > >> > >> >>who is > > >> > >> >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>user. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>acl3 -> host2 is allowed to READ > > >>regardless > > >> of > > >> > >> >>who is > > >> > >> >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>user. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>acl4 -> user1 is denied to READ from > > >>host1. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>As stated in the KIP we first evaluate > > >>DENY > > >> so > > >> > >>if > > >> > >> >> user1 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>tries to access from host1 he will be > > >> > >> >>denied(acl4), > > >> > >> >> > >>even > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>though both user1 and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>host1 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>has > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>acl's for allow with wildcards (acl1, > > >>acl2). > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>If user1 tried to READ from host2 , the > > >> action > > >> > >> >>will > > >> > >> >> be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>allowed > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>does > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>not matter if we match acl3 or acl1 so I > > >> don't > > >> > >> >>think > > >> > >> >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>evaluation order matters here. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>"Will people actually use hosts with > > >>users?" > > >> I > > >> > >> >>really > > >> > >> >> > >> > > >> >>>>>>>>>>don't > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>know but given ACl's are part of our > > >>Public > > >> > >>APIs I > > >> > >> >> > >> > > >> >>>>>>>>>>thought > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>it is better to try and cover more use > > >>cases. > > >> > >>If > > >> > >> >> others > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>think this extra complexity is not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> worth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>value its adding please raise your > > >>concerns > > >> so > > >> > >>we > > >> > >> >>can > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>discuss if it should be removed from the > > >>acl > > >> > >> >> structure. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>Note that even in absence of hosts from > > >>ACL > > >> > >>users > > >> > >> >> will > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>still be able to whitelist/blacklist > host > > >>as > > >> > >>long > > >> > >> >>as > > >> > >> >> we > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>start supporting principalType = "host", > > >>easy > > >> > >>to > > >> > >> >>add > > >> > >> >> > >>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>can be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> an > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>incremental improvement. They will > however > > >> > >>loose > > >> > >> >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>ability to restrict access to users just > > >> from a > > >> > >> >>set > > >> > >> >> of > > >> > >> >> > >> > hosts. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>We agreed to offer a CLI to overcome the > > >>JSON > > >> > >>acl > > >> > >> >> > >>config > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > >>>> > > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authori > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>za > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>ti > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>on > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>+I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>n > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > > > >>>>>>>>>>>>>>>>terface#KIP-11-AuthorizationInterface-AclManagement(CLI). > > >> > >> >> > >> > > >> >>>>>>>>>>I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>still like Jsons but that probably has > > >> > >>something > > >> > >> >>to > > >> > >> >> do > > >> > >> >> > >> > > >> >>>>>>>>>>with > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>me being a developer :-). > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>On 4/22/15, 11:38 AM, "Jeff Holoman" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >>>>>>>>>>>><jholo...@cloudera.com<mailto:jholo...@cloudera.com > ><mailto:jholo...@cloudera.com > > >> >< mailto:jholo...@cloudera.com > > >> > >> >> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>Parth, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>This is a long thread, so trying to > keep > > >>up > > >> > >>here, > > >> > >> >> > >>sorry > > >> > >> >> > >> > > >> >>>>>>>>>>>if > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>this has been covered before. First, > > >>great > > >> > >>job on > > >> > >> >> the > > >> > >> >> > >> > > >> >>>>>>>>>>>KIP > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>proposal and work so far. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>Are we sure that we want to tie host > > >>level > > >> > >>access > > >> > >> >> to a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>given user? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>My > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>understanding is that the ACL will be > > >> > >>(omitting > > >> > >> >>some > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>fields) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>user_a, host1, host2, host3 user_b, > > >>host1, > > >> > >>host2, > > >> > >> >> > >>host3 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>So there would potentially be a lot of > > >> > >> >>redundancy in > > >> > >> >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> configs. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>Does > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>make sense to have hosts be at the same > > >> level > > >> > >>as > > >> > >> >> > >> > > >> >>>>>>>>>>>principal > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>in > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>hierarchy? This way you could just > > >>blanket > > >> the > > >> > >> >> > >>allowed / > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>denied hosts and only have to worry > about > > >> the > > >> > >> >>users. > > >> > >> >> > >>So > > >> > >> >> > >> > > >> >>>>>>>>>>>if > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>you follow this, then > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>we can wildcard the user so we can > have a > > >> > >> >>separate > > >> > >> >> > >>list > > >> > >> >> > >> > > >> >>>>>>>>>>>of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>just host-based access. What's the > order > > >> that > > >> > >>the > > >> > >> >> > >>perms > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>would be evaluated if a there was more > > >>than > > >> > >>one > > >> > >> >> match > > >> > >> >> > >>on > > >> > >> >> > >> > > >> >>>>>>>>>>>a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>principal ? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>Is the thought that there wouldn't > > >>usually > > >> be > > >> > >> >>much > > >> > >> >> > >> > > >> >>>>>>>>>>>overlap > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>on hosts? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>guess I can imagine a scenario where I > > >>want > > >> to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>offline/online access to a particular > > >>hosts > > >> or > > >> > >> >>set > > >> > >> >> of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>hosts and if there was overlap, I'm > > >>doing a > > >> > >> >>bunch of > > >> > >> >> > >> > > >> >>>>>>>>>>>alter > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>commands for just a single host. Maybe > > >>this > > >> is > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> too > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>contrived > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>an example? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>I agree that having this level of > > >> granularity > > >> > >> >>gives > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>flexibility but I wonder if people will > > >> > >>actually > > >> > >> >>use > > >> > >> >> > >>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>and not just * the hosts for a given > user > > >> and > > >> > >> >>create > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>separate "global" list as i mentioned > > >>above? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>The only other system I know of that > ties > > >> > >>users > > >> > >> >>with > > >> > >> >> > >> > > >> >>>>>>>>>>>hosts > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>for access is MySql and I don't love > that > > >> > >>model. > > >> > >> >> > >> > > >> >>>>>>>>>>>Companies > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>usually standardize on group > > >>authorization > > >> > >> >>anyway, > > >> > >> >> are > > >> > >> >> > >> > > >> >>>>>>>>>>>we > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>complicating that issue with the > > >>inclusion > > >> of > > >> > >> >>hosts > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>attached to users? Additionally I worry > > >> about > > >> > >>the > > >> > >> >> debt > > >> > >> >> > >> > > >> >>>>>>>>>>>of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>big JSON configs in the first place, > most > > >> > >> >> > >>non-developers > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>find them non-intuitive already, so > > >>anything > > >> > >>to > > >> > >> >>ease > > >> > >> >> > >> > > >> >>>>>>>>>>>this > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>I think would be beneficial. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>Jeff > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>On Wed, Apr 22, 2015 at 2:22 PM, Parth > > >> > >> >>Brahmbhatt < > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto: > > >> > >> >> > >> > > pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com>>>> > wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> Sorry I missed your last questions. I > > >>am > > >> +0 > > >> > >>on > > >> > >> >> > >>adding > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>?host option for ?list, we could add > it > > >> for > > >> > >> >> > >>symmetry. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>Again if this is only a CLI change it > > >>can > > >> be > > >> > >> >>added > > >> > >> >> > >> > > >> >>>>>>>>>>>>later > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>if you mean adding this in authorizer > > >> > >>interface > > >> > >> >> then > > >> > >> >> > >>we > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>should make a decision now. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> Given a choice I would like to > actually > > >> keep > > >> > >> >>only > > >> > >> >> > >>one > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>option which is resource based get > > >>(remove > > >> > >>even > > >> > >> >> the > > >> > >> >> > >> > > >> >>>>>>>>>>>>get > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>based on principal). I see those > > >>(getAcl > > >> for > > >> > >> >> > >>principal > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>or > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>host) as special filtering case which > > >>can > > >> > >>easily > > >> > >> >> be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>achieved by a third party tool by > doing > > >> "list > > >> > >> >>all > > >> > >> >> > >> topics" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>calling > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> getAcls for each topic and applying > > >> > >>filtering > > >> > >> >> logic > > >> > >> >> > >>on > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>that. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>really > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> don't see the need to make those > first > > >> class > > >> > >> >> > >>citizens > > >> > >> >> > >> > > >> >>>>>>>>>>>> of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the authorizer interface given these > > >>kind > > >> of > > >> > >> >> queries > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>will be issued outside > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>broker > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>JVM > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> so they will not benefit from the > > >>caching > > >> > >>and > > >> > >> >> > >>because > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the storage will be indexed on > resource > > >> both > > >> > >> >>these > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>options even as a first class API will > > >>just > > >> > >> >>scan > > >> > >> >> all > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>topic acls and apply filtering logic. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> On 4/22/15, 11:08 AM, "Parth > > >>Brahmbhatt" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>><pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto: > > >> > >> >> > >> > > pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Please see all the available options > > >>here > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Autho > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>ri > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>za > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>ti > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>on > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>+ > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >>>nterface#KIP-11-AuthorizationInterface-AclManagement( > > >> > >> >> > >> > > >> >>>>>>>>>>>> >CL > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >) . I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>think > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >covers both hosts and operations and > > >> > >>allows to > > >> > >> >> > >> > > >> >>>>>>>>>>>> >specify > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >a list > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>for > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>both. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >From: Tom Graves > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >>>>>>>>>>>>>><tgraves...@yahoo.com<mailto:tgraves...@yahoo.com > ><mailto:tgraves...@yahoo.com > > >> >< mailto:tgraves...@yahoo.com > > >> > >> >> > >> <mailto: > > >> > >> >> > >> > > tgraves...@yahoo.com<mailto:tgraves...@yahoo.com > ><mailto:tgraves...@yahoo.com>% > > >> 3cmailto:tgraves...@yahoo.com<http://yahoo.com><http://yahoo.com>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Reply-To: Tom Graves > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >>>>>>>>>>>>>><tgraves...@yahoo.com<mailto:tgraves...@yahoo.com > ><mailto:tgraves...@yahoo.com > > >> >< mailto:tgraves...@yahoo.com > > >> > >> >> > >> <mailto: > > >> > >> >> > >> > > tgraves...@yahoo.com<mailto:tgraves...@yahoo.com > ><mailto:tgraves...@yahoo.com>% > > >> 3cmailto:tgraves...@yahoo.com<http://yahoo.com><http://yahoo.com>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Date: Wednesday, April 22, 2015 at > > >>11:02 > > >> AM > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >To: Parth Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>><pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >>pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > ><mailto:pbrahmbh...@hortonworks.com > > >> >< mailto:pbrahmbh...@hortonworks.com > > >> > >> >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >"dev@kafka.apache.org<mailto: > dev@kafka.apache.org><mailto: > > >> dev@kafka.apache.org<mailto:dev@kafka.apache.org>><mailto: > > >> > >> >> dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto: > dev@kafka.apache.org> > > >> > >> >> > >> > > > > >> > >> >>>< mailto:dev@kafka.apache.org%3cmailto:dev@kafka.apache.org > > %3e>" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> ><dev@kafka.apache.org<mailto: > dev@kafka.apache.org><mailto: > > >> dev@kafka.apache.org<mailto:dev@kafka.apache.org>><mailto: > > >> > >> >> dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto: > dev@kafka.apache.org> > > >> > >> >> > >> > <mailto: > > >> > >> >> > >> > > dev@kafka.apache.org<mailto:dev@kafka.apache.org > ><mailto:dev@kafka.apache.org>% > > >> 3cmailto:dev@kafka.apache.org<http://kafka.apache.org>< > http://kafka.apache.org>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Subject: Re: [DISCUSS] KIP-11- > > >> > >>Authorization > > >> > >> >> design > > >> > >> >> > >> > > >> >>>>>>>>>>>> >for > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >kafka > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>security > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Thanks for the explanations Parth. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >On the configs questions, the way I > > >>see > > >> it > > >> > >>is > > >> > >> >>its > > >> > >> >> > >> > > >> >>>>>>>>>>>> >more > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >likely > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >accidentally give everyone access, > > >> > >>especially > > >> > >> >> since > > >> > >> >> > >> > > >> >>>>>>>>>>>> >you > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >have > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>run > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >separate command to change the acls. > > >>If > > >> > >>there > > >> > >> >>was > > >> > >> >> > >> > > >> >>>>>>>>>>>> >some > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >config > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>for > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >defaults, a cluster admin could > change > > >> that > > >> > >> >>to be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >nobody or > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>certain > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>set > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >of users, then grant others > > >>permissions. > > >> > >>This > > >> > >> >> > >>would > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >also > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>remove > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>race > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >between commands. This is something > > >>you > > >> > >>can > > >> > >> >> always > > >> > >> >> > >> > > >> >>>>>>>>>>>> >add > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >later > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>though > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>if > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >people request it. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >So in kafka-acl.sh how do I actually > > >>tell > > >> > >>it > > >> > >> >>what > > >> > >> >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>operation > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>is? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >kafka-acl.sh --topic testtopic --add > > >> > >> >> > >>--grandprincipal > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>user:joe,user:kate > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >where does READ, WRITE, etc go? Can > > >> > >>specify > > >> > >> >>as a > > >> > >> >> > >> > > >> >>>>>>>>>>>> >list > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >so I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>don't > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>have > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >run this a bunch of times for each. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Do you want to have a --host option > > >>for > > >> > >> >>--list so > > >> > >> >> > >> > > >> >>>>>>>>>>>> >that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >admins > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>could > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>see > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >what acls apply to specific host(s)? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Tom > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >On Wednesday, April 22, 2015 11:38 > AM, > > >> > >>Parth > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>><pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >>pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > ><mailto:pbrahmbh...@hortonworks.com > > >> >< mailto:pbrahmbh...@hortonworks.com > > >> > >> >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >FYI, I have modified the KIP to > > >>include > > >> > >>group > > >> > >> >>as > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >resource. In > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>order > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >access "joinGroup" and > "commitOFfset" > > >> APIs > > >> > >>the > > >> > >> >> user > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >will need > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>read > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >permission on topic and WRITE > > >>permission > > >> on > > >> > >> >> group. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >I plan to open a VOTE thread by noon > > >>if > > >> > >>there > > >> > >> >>are > > >> > >> >> > >>no > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >more > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>concerns. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >On 4/22/15, 9:03 AM, "Tom Graves" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>><tgraves...@yahoo.com.INVALID > <mailto:tgraves...@yahoo.com.INVALID><mailto: > > >> tgraves...@yahoo.com.INVALID<mailto:tgraves...@yahoo.com.INVALID > >><mailto: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >>tgraves...@yahoo.com.INVAL<mailto:tgraves...@yahoo.com.INVAL > ><mailto:tgraves...@yahoo.com.INVAL > > >> >< mailto:tgraves...@yahoo.com.INVAL> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>ID > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>Hey everyone, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>Sorry to jump in on the > conversation > > >>so > > >> > >>late. > > >> > >> >> I'm > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>new > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>Kafka. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>I'll > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>apologize in advance if you have > > >>already > > >> > >> >>covered > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>some > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>of my > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>questions. I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>read through the wiki and had some > > >> > >>comments > > >> > >> >>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>questions. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>1) public enum Operation needs EDIT > > >> > >>changed > > >> > >> >>to > > >> > >> >> > >>ALTER > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> Done. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>2) Does the Authorizer class need a > > >> > >>setAcls? > > >> > >> >> > >>Rather > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>then > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>just > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>add > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>able to set to explicit list and > > >> overwrite > > >> > >> >>what > > >> > >> >> > >>was > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>there? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>see > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>kafka-acl.sh lists a removeall so I > > >> guess > > >> > >>you > > >> > >> >> > >>could > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>do > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>removeall > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>then > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>add. I also don't see a removeall > in > > >> the > > >> > >> >> > >>Authorizer > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>class, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>is > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>going > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>to loop through them all to remove > > >>each > > >> > >>one? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > There is an overloaded version > of > > >> > >> >>removeAcls > > >> > >> >> in > > >> > >> >> > >> > > >> >>>>>>>>>>>> > the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>interface > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >takes > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >in resource as the only input and as > > >> > >> >>described in > > >> > >> >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >javadoc > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>all > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>acls > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >attached to that resource will be > > >> deleted. > > >> > >>To > > >> > >> >> cover > > >> > >> >> > >> > > >> >>>>>>>>>>>> >the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> setAcl > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>use > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>case > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >the caller can first call remove and > > >>then > > >> > >>add. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>3) Can someone tell me what the use > > >>case > > >> > >>to > > >> > >> >>do > > >> > >> >> > >>acls > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>based on > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>hosts? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>I can see some possibilities just > > >> > >>wondering > > >> > >> >>if > > >> > >> >> we > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>can > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>concrete > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>ones > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>where > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>one user is allowed from one host > but > > >> not > > >> > >> >> another. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > I am not sure if I understand > the > > >> > >>question > > >> > >> >> > >>given > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > the use > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>case > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>you > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >described in your question is what > we > > >>are > > >> > >> >>trying > > >> > >> >> to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >cover > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> with > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>use > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >hosts in Acl. There are some > > >>additional > > >> use > > >> > >> >>cases > > >> > >> >> > >> > > >> >>>>>>>>>>>> >like > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >"allow > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>access > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >any user from host1,host2" but I > think > > >> > >> >>primarily > > >> > >> >> it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >gives the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>admins > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >ability to define acls at a more > > >>granular > > >> > >> >>level. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>4) I'm a bit unclear how the > > >>"resource" > > >> > >> >>works in > > >> > >> >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>Authorizer > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>class. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>From what I see we have 2 > resources - > > >> > >>topics > > >> > >> >>and > > >> > >> >> > >> > cluster. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>If I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>want > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>add an acl to allow "joe" to CREATE > > >>for > > >> > >>the > > >> > >> >> > >>cluster > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>then I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>call > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>addAcls > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>with Acl("user: joe", ALLOW, > Set(*), > > >> > >> >> Set(CREATE)) > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>"cluster"? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>What > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>if I want to call addAcls for > > >>DESCRIBE > > >> on > > >> > >>a > > >> > >> >> topic? > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>Is > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>resource > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>then > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>"topic" or is it the topic name? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > We now have 3 resources(added > > >>group), > > >> > >> >>please > > >> > >> >> > >>see > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>updated > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>doc. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>The > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >CREATE acl that you described is > > >>correct. > > >> > >>For > > >> > >> >>any > > >> > >> >> > >> > > >> >>>>>>>>>>>> >topic > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>operation > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>you > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >should use topic name as the > resource > > >> name > > >> > >>and > > >> > >> >> for > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >group the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>user > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>will > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >provide groupId as resource name. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>5) reassigning partitions is a > > >> > >> >>CLUSTER_ACTION or > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>superuser? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>Its > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>totally clear to me the differences > > >> > >>between > > >> > >> >> these. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>what > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>about > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>increasing > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >># of partitions? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > I see this as an alter topic > > >> operation > > >> > >>so > > >> > >> >>it > > >> > >> >> is > > >> > >> >> > >> > > >> >>>>>>>>>>>> > at > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > topic > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>level > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >user must have alter permissions on > > >> topic. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>6) groups are mentioned, are we > > >> supporting > > >> > >> >>right > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>away > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>or is > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>follow > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>on item? (is there going to be a > > >> > >> >> > >>kafka.supergroups) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > I think it can be a separate > jira > > >> just > > >> > >>for > > >> > >> >> > >> > > >> >>>>>>>>>>>> > braking > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > down > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>code > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >review > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >in smaller chunk. We will support it > > >>in > > >> > >>first > > >> > >> >> > >>version > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >but I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>think > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>if > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>we > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >can not do it for any reason that > > >>should > > >> > >>not > > >> > >> >> block > > >> > >> >> > >>a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >release > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>with > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>all > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >other authZ work. We made deliberate > > >> design > > >> > >> >> choices > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >(like > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>introducing > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >principalType in KafkaPrinciapl) to > > >>allow > > >> > >> >> > >>supporting > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >groups > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> as > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>an > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >incremental change. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>7) Are there config options for > > >>setting > > >> > >>acls > > >> > >> >> when > > >> > >> >> > >>I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>create > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> my > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>topic? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>Or > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>do I have to create my topic and > then > > >> run > > >> > >>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>kafka-acl.sh > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>script > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>set > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>them? Although its very small, > there > > >> > >>would > > >> > >> >>be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>possible race > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>there > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>someone could start producing to > > >>topic > > >> > >>before > > >> > >> >> acls > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>are > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>set. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > We discussed this yesterday and > we > > >> > >>agreed > > >> > >> >>to > > >> > >> >> go > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > with > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>kafka-acl.sh. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>Yes > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >there is a very very small window of > > >> > >> >> vulnerability > > >> > >> >> > >> > > >> >>>>>>>>>>>> >but > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> think > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>really > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >does not warrant to change the > > >>decision > > >> in > > >> > >> >>this > > >> > >> >> > >>case. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>8) are there configs for cluster > > >>level > > >> acl > > >> > >> >> > >>defaults? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>Or > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> does > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>default > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>to superusers on bringing up new > > >>cluster > > >> > >>and > > >> > >> >>you > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>have > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>modify > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>with > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>cli. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>thanks,Tom > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > No defaults, the default is > > >> superusers > > >> > >> >>will > > >> > >> >> > >>have > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > full > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>access. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>don't > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >think making assumptions about ones > > >> > >>security > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >requirement > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>should > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>our > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >burden. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> On Tuesday, April 21, 2015 7:10 > > >>PM, > > >> > >>Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>><pbrahmbh...@hortonworks.com > <mailto:pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >>pbrahmbh...@hortonworks.co<mailto:pbrahmbh...@hortonworks.co > ><mailto:pbrahmbh...@hortonworks.co > > >> >< mailto:pbrahmbh...@hortonworks.co> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>>m> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> I have added the notes to KIP-11 > > >>Open > > >> > >> >>question > > >> > >> >> > >> > sections. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>On 4/21/15, 4:49 PM, "Gwen Shapira" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > > > >>>>>><gshap...@cloudera.com<mailto:gshap...@cloudera.com><mailto: > gshap...@cloudera.com><mailto: > > >> gshap...@cloudera.com<mailto:gshap...@cloudera.com> > > >> > >> >> > >> > > < mailto:gshap...@cloudera.com% > > >> > 3cmailto:gshap...@cloudera.com<http://cloudera.com>< > http://cloudera.com> > > >> > >> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>Adding my notes from today's call > to > > >> the > > >> > >> >> thread: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>** Deny or Allow all by default? > We > > >> will > > >> > >> >>add a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> configuration > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>control this. The configuration > will > > >> > >> >>default to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>"allow" for > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>backward > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>compatibility. Security admins can > > >>set > > >> > >>it to > > >> > >> >> > >>"deny" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>** Storing ACLs for default > > >> authorizers: > > >> > >> >>We'll > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>store > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>them > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> in > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>ZK. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>We'll > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>support pointing the authorizer to > > >>any > > >> > >>ZK. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>The use of ZK will be internal to > > >>the > > >> > >> >>default > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>authorizer. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>Authorizer > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>reads ACLs from cache every hour. > We > > >> > >> >>proposed > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>having > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>mechanism > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>(possibly via new ZK node) to tell > > >> > >>broker to > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>refresh > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>cache > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>immediately. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>** Support deny as permission type > > >>- we > > >> > >> >>agreed > > >> > >> >> to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>keep > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> this. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>** Mapping operations to API: We > may > > >> > >>need to > > >> > >> >> add > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>Group as a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>resource, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>with JoinGroup and OffsetCommit > > >>require > > >> > >> >> privilege > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>on > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>consumer > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>group. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>This can be something we pass now > > >>and > > >> > >> >> authorizers > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>can > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>support > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>in > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>future. - Jay will write specifics > > >>to > > >> the > > >> > >> >> mailing > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>list > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>discussion. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>On Tue, Apr 21, 2015 at 4:32 PM, > Jay > > >> > >>Kreps > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>><jay.kr...@gmail.com<mailto: > jay.kr...@gmail.com><mailto: > > >> jay.kr...@gmail.com<mailto:jay.kr...@gmail.com>><mailto: > > >> > >> >> jay.kr...@gmail.com<mailto:jay.kr...@gmail.com>< mailto: > jay.kr...@gmail.com> > > >> > >> >> > >> > <mailto: > > >> > >> >> > >> > > jay.kr...@gmail.com<mailto:jay.kr...@gmail.com>< > mailto:jay.kr...@gmail.com>% > > >> 3cmailto:jay.kr...@gmail.com<http://gmail.com><http://gmail.com>>>> > wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> Following up on the KIP > > >>discussion. > > >> Two > > >> > >> >> options > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> for > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>authorizing > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>consumers > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> to read topic "t" as part of > group > > >> "g": > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> 1. READ permission on resource > > >> /topic/t > > >> > >> >>2. > > >> > >> >> > >>READ > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>permission on resource /topic/t > AND > > >> > >>WRITE > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>permission > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>on > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>/group/g > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> The advantage of (1) is that it > is > > >> > >> >>simpler. > > >> > >> >> The > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>disadvantage > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>is > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>any > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> member of any group that reads > > >>from t > > >> > >>can > > >> > >> >> > >>commit > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>offsets > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>as > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>any > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>other > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> member of a different group. > This > > >> > >>doesn't > > >> > >> >> > >>effect > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> data > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>security > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>(who > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>can > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> access what) but it is a bit of > a > > >> > >> >>management > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>issue--a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>malicious > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>person > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>can > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> cause data loss or duplicates > for > > >> > >>another > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> consumer > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>by > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>committing > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>offset. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> I think I favor (2) but it's > > >>worth it > > >> > >>to > > >> > >> >> think > > >> > >> >> > >>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> through. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> -Jay > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> On Tue, Apr 21, 2015 at 2:43 PM, > > >> Parth > > >> > >> >> > >>Brahmbhatt > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> < > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > > > >> > >>>>>>>>>>>>>>>>pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto:pbrahmbhatt@hortonwo > > >> > >> >> > >> > > >> >>>>>>>>>>>>rk > > >> > >> >> > >> > > < mailto:pbrahmbh...@hortonworks.com > > >> > >> >> %3cmailto:pbrahmbhatt@hortonwork > > >> > >> >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>s > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>.com > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> Hey Jun, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> Yes and we support wild cards > for > > >> all > > >> > >>acl > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> entities > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>principal, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>hosts > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> operation. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> On 4/21/15, 9:06 AM, "Jun Rao" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >>>>>>><j...@confluent.io<mailto:j...@confluent.io><mailto: > j...@confluent.io><mailto: > > >> j...@confluent.io<mailto:j...@confluent.io><mailto: > > >> > >> >> > >> > > j...@confluent.io<mailto:j...@confluent.io>< mailto: > j...@confluent.io>% > > >> 3cmailto:j...@confluent.io>>> wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >Harsha, Parth, > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >Thanks for the clarification. > > >>This > > >> > >>makes > > >> > >> >> > >>sense. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >Perhaps > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>we > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>can > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>clarify the > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >meaning of those rules in the > > >>wiki. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >Related to this, it seems that > > >>we > > >> > >>need > > >> > >> >>to > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >support > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>wildcard > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>in > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>cli/request > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >protocol for topics? > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >Jun > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >On Mon, Apr 20, 2015 at 9:07 > PM, > > >> > >>Parth > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >Brahmbhatt > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >< > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >><mailto<mailto: > > >> > >> >> > >> > > pbrahmbh...@hortonworks.com<mailto: > pbrahmbh...@hortonworks.com><mailto: > > >> pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > >>%3cmailto>: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >>pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com > ><mailto:pbrahmbh...@hortonworks.com > > >> >< mailto:pbrahmbh...@hortonworks.com > > >> > >> >> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> The iptables on unix > supports > > >>the > > >> > >>DENY > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> operator, not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>it > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>should > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> matter. The deny operator > can > > >> also > > >> > >>be > > >> > >> >> used > > >> > >> >> > >>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> specify > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>³allow > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>user1 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>READ > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> from topic1 from all hosts > but > > >> > >> >> > >>host1,host2². > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>Again we > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>could > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>add a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>host > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> group semantic and extra > > >> complexity > > >> > >> >> around > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> that, not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>sure > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>if > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>its > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>worth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>it. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> In addition with DENY > operator > > >> you > > >> > >>are > > >> > >> >> now > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>forced > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>create a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>special > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> group just to support the > > >> > >> >>authorization > > >> > >> >> use > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>case. I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> am > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>convinced > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> the operator it self is > really > > >> all > > >> > >> >>that > > >> > >> >> > >> > confusing. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>There > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>are 3 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>practical > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> use cases: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> - Resource with no acl what > so > > >> > >>ever -> > > >> > >> >> > >>allow > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> access > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>everyone ( > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>just > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>for > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> backward compatibility, I > > >>would > > >> > >>much > > >> > >> >> rather > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>fail > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> close > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>force > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>users > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> explicitly grant acls that > > >>allows > > >> > >> >>access > > >> > >> >> to > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> all > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>users.) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> - Resource with some acl > > >>attached > > >> > >>-> > > >> > >> >>only > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> users > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>have > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>matching > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>allow > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> acl are allowed (i.e. ³allow > > >>READ > > >> > >> >>access > > >> > >> >> to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>topic1 to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>user1 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>from > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>all > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> hosts², only user1 has READ > > >> access > > >> > >> >>and no > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> other > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> user > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>has > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>access of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>any > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> kind) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> - Resource with some allow > and > > >> some > > >> > >> >>deny > > >> > >> >> > >>acl > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> attached > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>-> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>users > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>are > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>allowed > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> to perform operation only > when > > >> they > > >> > >> >> satisfy > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>allow acl > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>do > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>have > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> conflicting deny acl. Users > > >>that > > >> > >>have > > >> > >> >>no > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> acl(allow or > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>deny) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>will > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>still > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> have any access. (i.e. > ³allow > > >> READ > > >> > >> >>access > > >> > >> >> > >>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>topic1 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>user1 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>from > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>all > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> hosts except host1 and > host², > > >> only > > >> > >> >>user1 > > >> > >> >> > >>has > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> access > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>but > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>not > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>from > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>host1 > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>an > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> host2) > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> I think we need to make a > > >> decision > > >> > >>on > > >> > >> >> deny > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> primarily > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>because > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>with > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> introduction of acl > management > > >> API, > > >> > >> >>Acl > > >> > >> >> is > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> now > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> a > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>public > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>class > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>that > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>will > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> used by Ranger/Santry and > > >>other > > >> > >> >> > >>authroization > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>providers. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>In > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>Current > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>design > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> the acl has a permissionType > > >>enum > > >> > >> >>field > > >> > >> >> > >>with > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>possible > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>values > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>Allow > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>and > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> Deny. If we chose to remove > > >>deny > > >> we > > >> > >> >>can > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> assume > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >>all > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>acls > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>to > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>be > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>of > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>allow > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> type and remove the > > >> permissionType > > >> > >> >>field > > >> > >> >> > >> > > > > >> > >> >> > >> > > >>completely. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> Thanks > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> Parth > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> On 4/20/15, 6:12 PM, "Gwen > > >> Shapira" > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >>>>>>><gshap...@cloudera.com<mailto:gshap...@cloudera.com > ><mailto:gshap...@cloudera.com > > >> >< mailto:gshapira@cloudera.c > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>om > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>wrote: > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> >I think thats how its done > in > > >> > >>pretty > > >> > >> >> much > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> >any > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> >system > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>I > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>can > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>>think > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>>of. > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>-- > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>Jeff Holoman > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>>>Systems Engineer > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>>>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> >>> > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > > >> > >> >> > >> > > > > >> > >> >> > >> > > >> > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > > >> > >> >> > >> > > > >> > >> >> > >> > > >> > >> >> > > > >> > >> >> > > > >> > >> >> > > >> > >> > > >> > >> > > >> > > > >> > > > >> > > >> > > >> > > > > > > >
