...
The version of the relevant requests will be bumped up. Authorized operations will be returned as an array of INT8 values, each of which is consistent with AclOperation used in ACL requests and responsesINT32 with bits set for each permitted operation. The bitfield corresponding to each operation with be the existing operation code used in AclOperation
. If in future we exceed 32 operations and need more bits, the field can be made into INT64 with a version bump. The highest code currently in use is 12.
Metadata Request and Response: v8
Code Block | ||||
---|---|---|---|---|
| ||||
Metadata Request => [topics] allow_auto_topic_creation include_cluster_authorized_operations include_topic_authorized_operations <== ADDED include_cluster_authorized_operations, include_topic_authorized_operations topics => STRING allow_auto_topic_creation => BOOLEAN include_cluster_authorized_operations => BOOLEAN <== NEW include_topic_authorized_operations => BOOLEAN <== NEW Metadata Response => throttle_time_ms [brokers] cluster_id controller_id [topic_metadata] [authorized_operations] <== ADDED authorized_operations throttle_time_ms => INT32 brokers => node_id host port rack node_id => INT32 host => STRING port => INT32 rack => NULLABLE_STRING cluster_id => NULLABLE_STRING controller_id => INT32 topic_metadata => error_code topic is_internal [partition_metadata] [authorized_operations] <== ADDED authorized_operations error_code => INT16 topic => STRING is_internal => BOOLEAN partition_metadata => error_code partition leader leader_epoch [replicas] [isr] [offline_replicas] error_code => INT16 partition => INT32 leader => INT32 leader_epoch => INT32 replicas => INT32 isr => INT32 offline_replicas => INT32 authorized_operations => INT8INT32 <== NEW |
DescribeGroups Request and Response v3
Code Block | ||||
---|---|---|---|---|
| ||||
DescribeGroups Request => [group_ids] include_authorized_operations <== ADDED include_authorized_operations group_ids => STRING include_authorized_operations => BOOLEAN <== NEW DescribeGroups Response => throttle_time_ms [groups] throttle_time_ms => INT32 groups => error_code group_id state protocol_type protocol [members] [authorized_operations] <== ADDED authorized_operations error_code => INT16 group_id => STRING state => STRING protocol_type => STRING protocol => STRING members => member_id client_id client_host member_metadata member_assignment member_id => STRING client_id => STRING client_host => STRING member_metadata => BYTES member_assignment => BYTES authorized_operations => INT8INT32 <== NEW |
AdminClient API Changes
...
The corresponding resource description or result classes returned by AdminClient will be extended to provide an optional set of authorized operations. The bits set in the new INT32 field in the response will be used to generate a set of AclOperation
entries, where each operation code is derived from the position of the bit field. When new operations are added, older clients will ignore any authorized operations returned by the broker that is not supported by the client.
Example: ConsumerGroupDescription
...
- Existing clients using older versions will not request authorized operations in
Describe
requests since the default is to disable this feature. This keeps older clients compatible with newer brokers. - Newer clients connecting to older brokers will use the older protocol version and hence will not request authorized operations.
AdminClient
will throw an exception if the option is requested but not supported by brokers. - When new operations are added, newer brokers may return operations that are not known to older clients. These will be returned as
AclOperation.UNKNOWN
by the Java clients and must be ignored. This is consistent withDescribeAcls
AdminClient will ignore any bit that is set inauthorized_operations
that is not known to the client. TheSet<AclOperation>
created by the client from the bits returned by the broker will only include operations that the client client knows about.
Rejected Alternatives
Add a new request to obtain authorized operations for different resources
...