Hi, Mani, Thanks for the update. Just a minor comment below. Otherwise, +1 from me.
> > > > > 116. Could you document the ACL rules associated with those new requests? > > For example, do we allow any one to create, delete, describe delegation > > tokens? > > > > > Currently we only allow a owner to create delegation token for that owner > only. > Any thing the owner has permission to do, delegation tokens should be > allowed to do as well. We can also check renew and expire requests are > coming > from owner or renewers of the token. So we may not need ACLs for > create/renew/expire requests. > > For describe, we can add DESCRIBE operation on TOKEN Resource. In future, > when we extend > the support to allow a user to acquire delegation tokens for other users, > then we can enable > CREATE/DELETE operations. Updated the KIP. > > This sounds good. I guess the owner and the renewer can always describe their own tokens? Jun
