THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
| Key Name | Description | Valid Values | Default Value |
|---|---|---|---|
| early.start.listeners | A list of listeners which we want to start as early as possible. This is useful in cases where the startup process requires some listeners to be open before other listeners can be brought up. In general, a listener should not appear in this list if it accepts external traffic. | A comma-separated list of listener names | The controller listener, if one is present (i.e., if we are in KRaft mode). |
| super.users | Just as in AclAuthorizer, this is a semi-colon separated list of users that will be treated as super users. | A comma-separated list of user names | Empty |
| allow.everyone.if.no.acl.found | Just as in AclAuthorizer, if this is set to true, in the case when no acls are found for a resource, the authorizer allows access to everyone. | true | false | false |
New Error Codes
...
EnvelopeRequest
We will bump the version of EnvelopeRequest to reflect the fact that it can now return a new error code: AUTHORIZER_NOT_READY
...
. This error code will only ever be returned from early start endpoints. It indicates that the operation could not be performed because the Authorizer
...
has not fully initialized yet, as described in the previous section about "early start listeners."
As described in KIP-590, brokers use EnvelopeRequest to forward user requests to KRaft controllers. When the broker gets back an AUTHORIZER_NOT_READY error for a forwarded request, it should wait for a while and then try to forward the request again. This is basically the same behavior as the what the broker does when there is a network error when forwarding a request. At some point, of course, the request will time out.
If the version of EnvelopeRequest is too old, then the controller will return UNKNOWN_SERVER_EXCEPTION instead.
Since the controller uses ApiVersions to determine what RPC versions to use, rather than consulting the IBP, we do not need to bump the IBP to make this change
...
.
Metadata Shell
The metadata shell will support examining KRaft ACLs. Each ACL will appear in /acl/id/<uuid> in its JSON form.
...