Thanks for your comments Stephane. I too would like to get 'wildcard' support. I'd like to associate an acl to a regex instead of a specific resource name (or everything), and then the authz check is then performed against the actual resource name.
This could be attainable with a more sophisticated implementation of Authorizer. One immediate use case is to allow an authenticated user to manage topics/groups and txns that have a given prefix. This would be the case of Streams applications too, wouldn't it ? Our Kip is simply about giving the ability for a user to clean up after himself :-) It is bad practice to be able to create resources but not to delete them, and the only current alternative is to give a user the ability to create and delete any topic, and that authority may be too broad in some organizations. cheers Edo -------------------------------------------------- Edoardo Comar IBM Message Hub IBM UK Ltd, Hursley Park, SO21 2JN From: Stephane Maarek <steph...@simplemachines.com.au> To: dev@kafka.apache.org Date: 29/03/2018 18:11 Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API Not against, but this needs to support regex for support for Kafka streams application that create many topics with complex names On Thu., 29 Mar. 2018, 7:21 pm Edoardo Comar, <eco...@uk.ibm.com> wrote: > Hi all, > > We have submitted KIP-277 to give users permission to manage the lifecycle > of a defined set of topics; > the current ACL checks are for permission to create *any* topic and on > delete for permission against the *named* topics. > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=EzRhmSah4IHsUZVekRUIINhltZK7U0OaeRo7hgW4_tQ&m=uZGGpiYQPMpPZ2QpZfv5GWdjwWiTIu7Oox8zoBEo-3E&s=y8kJf6lUAsyU6SVgaXy39LCL0JJ35aqg793SxC88PaQ&e= > > Feedback and suggestions are welcome, thanks. > > Edo & Mickael > -------------------------------------------------- > > Edoardo Comar > > IBM Message Hub > > IBM UK Ltd, Hursley Park, SO21 2JN > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU > Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
