...
DescribeClusterOptions
: This is a metadata request. Operations returned will be a subset of{Describe, Alter, DescribeConfigs, AlterConfigs, IdempotentWrite}
DescribeTopicsOptions
: Also a metadata request. Operations returned will be a subset of{Create, Delete, Read, Write, Describe, Alter, DescribeConfigs
, AlterConfigs
}DescribeConsumerGroupsOptions
: Operations returned will be a subset of{Describe, Read, Delete}
...
As described above, Kafka protocol for requests and responses to describe broker resources will be extended to request authorized operations and return the set of authorized operations if requested. Broker will use its pluggable Authorizer
to obtain the set of permitted operations for the Session
performing the Describe
operation. SimpleAclAuthorizer
will be updated to traverse through ACLs once and return all the matching operations. Custom authorizers may be extended to do the same, but a default implementation that uses the existing `authorize()
` method to authorize every supported operation ensures that existing authorizers can be used without change. If no authorizer is configured on the broker, the full set of supported operations on each resource will be returned.
Broker will check Describe
access on the resources before returning any metadata, so only users authorized for Describe
may obtain the additional information provided by this KIP. Users without Describe
access continue to get errors that dont leak information about the existence of resources.
...