THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
- Wire protocol additions and changes
- Server-side message handlers and authorization
New Java AdminClient implementation
- Refactor admin scripts and code to use new client where appropriate
Follow Up Changes
Anchor | ||||
---|---|---|---|---|
|
Changes that should be done shortly after or are enabled by this KIP included:
- Review privileges for listing and altering ACLs to be more fine grained.
- Provide an Authorizer interface using the new Java classes used by the ACL requests/responses
- Deprecate the old one to encourage transition
Details
1. Wire Protocol Extensions
...
New Protocol Errors
It is proposed to use existing / add these error codes to the protocol.
Error | Description | Requests |
---|---|---|
TopicAlreadyExists | Topic with this name already exists. | Create |
InvalidTopic (existing) | Topic name contains invalid characters or doesn't exist. | Create, Alter, Delete |
InvalidPartitions | Partitions field is invalid (e.g. negative or increasing number of partitions in existing topic) | Create, Alter |
InvalidReplicationFactor | ReplicationFactor field is invalid (e.g. negative) | Create, |
InvalidReplicaAssignment | ReplicaAssignment field is invalid (e.g. contains duplicates) |
|
InvalidTopicConfiguration | Either topic-level config setting or value is incorrect. | Create |
DecreasePartitionsNotAllowed | Invalid Partitions argument: decreasing partitions is prohibited when altering topic. | Alter |
ReassignPartitionsInProgress | Reassign partitions procedure has been already started. | Alter |
Generally, a client should have enough context to provide descriptive error message.
The same notation as in A Guide To The Kafka Protocol is used here.
ACL Admin Schema
List ACLs Request
ListAclsRequest => principal resource
resource => resource_type resource_name
resource_type => INT8
resource_name => STRING
principal => NULLABLE_STRING |
Request semantics:
- Can be sent to any broker
- If a non-null principal is provided the returned ACLs will be filtered by that principle, otherwise ACLs for all principals will be listed.
- If a resource with a resource_type != -1 is provided ACLs will be filtered by that resource, otherwise ACLs for all resources will be listed.
- Any principle can list their own ACLs where the permission type is "Allow", Otherwise the principle must be authorized to the "All" Operation on the "Cluster" resource to list ACLs.
- Unauthorized requests will receive a ClusterAuthorizationException
- This will be reviewed as a follow up ACLs review after this KIP. See Follow Up Changes.
List ACLs Response
ListAclsResponse => [responses] error_code |
Alter ACLs Request
AlterAclsRequest => ... |
Request semantics:
- Can be sent to any broker
- If a non-null principal is provided the returned ACLs will be filtered by that principle, otherwise ACLs for all principals will be listed.
- If a resource with a resource_type != -1 is provided ACLs will be filtered by that resource, otherwise ACLs for all resources will be listed.
- The principle must be authorized to the "All" Operation on the "Cluster" resource to alter ACLs.
- Unauthorized requests will receive a ClusterAuthorizationException
- This will be reviewed as a follow up ACLs review after this KIP. See Follow Up Changes.
Alter ACLs Response
AlterAclsResponse => ... |
Topic Admin Schema
Create Topic Request
...