Hello guys, Sorry for being late on this KIP, but while incorporating the docs of 277 and 290 I'm wondering if we should be extending the authorization with create topics on other operations with these two KIPs:
Previously, in SimpleAclAuthorizer, "read, write, delete, or alter implies allowing describe", but not "create" as it can only be applied on "CLUSTER". It means that users need to specify additional rules for those topics even if they are created by themselves. One example of this is Kafka Streams' internal topics, before 2.0, users need to add "create CLUSTER" plus "read / write TOPIC_NAME_LITERAL" with a secured cluster, and I've seen some common scenarios where they forgot to add the latter and was thinking that the created topics will be auto-granted with read/write permissions. Would it be natural to allow: 1. prefix wildcard "create" to imply prefix wildcard "read / write / describe" (debatable whether we want to add "delete" and "alter" as well). 2. cluster "create" to imply "read / write / describe" on topics created by the same user. Guozhang On Fri, May 25, 2018 at 5:55 AM, Edoardo Comar <edoco...@gmail.com> wrote: > Thanks Ismael, noted on the KIP > > On 21 May 2018 at 18:29, Ismael Juma <ism...@juma.me.uk> wrote: > > Thanks for the KIP, +1 (binding). Can you also please describe the > > compatibility impact of changing the error code from > > CLUSTER_AUTHORIZATION_FAILED to TOPIC_AUTHORIZATION_FAILED? > > > > Ismael > > > > On Wed, Apr 25, 2018 at 2:45 AM Edoardo Comar <eco...@uk.ibm.com> wrote: > > > >> Hi, > >> > >> The discuss thread on KIP-277 ( > >> https://www.mail-archive.com/dev@kafka.apache.org/msg86540.html ) > >> seems to have been fruitful and concerns have been addressed, please > allow > >> me start a vote on it: > >> > >> > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP- > 277+-+Fine+Grained+ACL+for+CreateTopics+API > >> > >> I will update the small PR to the latest KIP semantics if the vote > passes > >> (as I hope :-). > >> > >> cheers > >> Edo > >> -------------------------------------------------- > >> > >> Edoardo Comar > >> > >> IBM Message Hub > >> > >> IBM UK Ltd, Hursley Park, SO21 2JN > >> Unless stated otherwise above: > >> IBM United Kingdom Limited - Registered in England and Wales with number > >> 741598. > >> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 > 3AU > >> > > > > -- > "When the people fear their government, there is tyranny; when the > government fears the people, there is liberty." [Thomas Jefferson] > -- -- Guozhang
