Grant, thanks for finding this. Below are my thoughts. On Thu, Mar 3, 2016 at 9:33 AM, Grant Henke <ghe...@cloudera.com> wrote:
> I am working on the List/Alter ACLs patch ( > https://github.com/apache/kafka/pull/1005) for KIP-4 and have a few > questions around expectations for an Authorizer implementation: > > - What is the expected behavior when I add the same ACL twice? > I think we should ignore it. Same as setting existing perm on a file in unix. > - What is the expected behavior when I remove an ACL that is not set? > I think we should ignore this as well. As the end goal is met in either case. > - What type of "permission inheritance" is an implementer of the > Authorizer interface supposed to follow: > - Example: READ or WRITE automatically grants DESCRIBE > I am more in favor of having explicit permissions. Implementations can take care of implied permissions, if they want to. However, I do not see a reason why. > - Is the Authorizer implementation expected to manage blocking/local > cache consistency across all instances? > The caching only happens on implementation level, so I guess yes. > - Or should all requests go to 1 instance? > This will be a huge perf hit depending on usage pattern, I think. > - This is related to the bug found while working on this patch: > KAFKA-3328 <https://issues.apache.org/jira/browse/KAFKA-3328> > > Thanks, > Grant > > -- > Grant Henke > Software Engineer | Cloudera > gr...@cloudera.com | twitter.com/gchenke | linkedin.com/in/granthenke > -- Regards, Ashish
