THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Status
Current state: Under Discussion
Discussion thread: here
JIRA: KAFKA-12916
Motivation
Currently Kafka supports creation new topics through a CreateTopicsRequest or by auto creation during a topic MetadataRequest (if enabled on the cluster). Kafka supports ACLs for creation but currently the CREATE acl is used to grant access to both types of topic creations. This is problematic because it may be desirable to allow a user to auto create topics but not to be able to submit a create topic request. The difference is that auto creation will use the cluster defaults for the new topic settings but a topic creation request would allow the user to have control to configure all of the different topic settings which may not be what was intended. Using topic creation policies to control this doesn't work because the principal is not currently passed to the topic creation policy so if the topic creation policy was created to block explicit topic settings it would block it for all users as there would be no way to tell if it was a super user. There needs to be a way to also allow super users (or others given permission) could set explicit topic settings still.
Public Interfaces
Changes to AclOperation
The AclOperation class needs to have a new value added to the Enum:
enum AclOperation {
...
/**
* AUTO_CREATE operation.
*/
AUTO_CREATE((byte) 13);
}
Proposed Changes
The proposed change is to create a new ACL operation called AUTO_CREATE that will be checked to see if a user is authorized to auto create topics instead of using the existing CREATE operation. This new operation will apply both cluster wide (allowed to create a topic of any name) or topic wide (will validate by topic name or prefix). The CREATE operation will still be used for the existing CreateTopicsRequest command. Going forward this will allow an administrator to grant permission to auto create topics with cluster defaults but not to explicitly create topics.
The goals of this change:
- Allow admins or super users the ability to create topics and also set explicit configs on the new topics.
- Allow some users the ability to auto-create topics but not set explicit configs (only given cluster defaults).
- Deny creation of topics entirely to other users.
Compatibility, Deprecation, and Migration Plan
This change will be fully backwards compatible and will not break existing users. The AclAuthorizer class will be updated so that any user that is granted the CREATE operation will also imply AUTO_CREATE. This means that any existing configurations that grant CREATE will still work because when the new check is done for AUTO_CREATE the CREATE operation will be implied and return true.
Rejected Alternatives
The API could be changed such that CreateTopicPolicy (and also AlterConfigPolicy) could have the principal passed as part of the validation request. This could possibly work but is much more limited and I think using the built in ACL mechanism that already exists seems like a better solution as this is really a permission issue that is trying to be solved. While passing the principal to the policy gives the policy the ability to know who is making the request, only the ACL authorizer has all the information loaded to make permissions decisions and that still wouldn't be available to the create topic policy. Without the ACL authorizer the best you could do would be just check if a super user which is better but still doesn't solve the whole problem if you want to grant non super users the ability to create topics explicitly for certain topic prefixes.