Table of Contents |
---|
co-authored-by: Mickael Maison <mickael.maison@gmail.com>
...
This makes it currently impossible to allow a user to manage the lifecycle of a defined set of topics, as she/he will be able to create any topics, but not necessarily to delete all of them.
Proposed Changes
Change the current ACL check for creating a topic T, from CREATE on Cluster, to CREATE on Topic(T).
Change the AclCommand CLI tool so that the `–producer
` convenience option manages the new needed ACL.
Public Interfaces
On failure from an authorization check, CreateTopicsRequest
will return with an error code of TOPIC_AUTHORIZATION_FAILED
(29) instead of CLUSTER_AUTHORIZATION_FAILED
(31)
...
- What impact (if any) will there be on existing users?
- existing ACLs with CREATE permission on Cluster will not allow users to create topics anymore
- If we need special migration tools, describe them here.
- replacing
CREATE Cluster ACLs
withCREATE Topic *
- replacing
Rejected Alternatives
An alternative that we want to discuss with the community is to favour compatibility rather than simplicity,
and consider existing "Create Cluster" permission as equivalent to "Create Any Topics", so that Create Cluster is allowed, skip the specific Create Topic check.
In that case for symmetry there could be a DELETE check on Cluster meaning delete any topics.