Versions Compared

Old Version 1

changes.mady.by.user Manikumar Reddy O.

Saved on

compared with

New Version Current

changes.mady.by.user Manikumar Reddy O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.

Status

Current state "Under Discussion" Adopted

Discussion thread: here 

JIRA: here 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Describe the problems you are trying to solve.

Public Interfaces

Briefly list any new interfaces that will be introduced as part of this proposal or any existing interfaces that will be removed or changed. The purpose of this section is to concisely call out the public contract that will come along with this feature.

A public interface is any change to the following:

  • Binary log format

  • The network protocol and api behavior

  • Any class in the public packages under clientsConfiguration, especially client configuration

    • org/apache/kafka/common/serialization

    • org/apache/kafka/common

    • org/apache/kafka/common/errors

    • org/apache/kafka/clients/producer

    • org/apache/kafka/clients/consumer (eventually, once stable)

  • Monitoring

  • Command line tools and arguments

  • Anything else that will likely break existing users in some way when they upgrade

Proposed Changes

From JIRA description

"Currently the `kafka-acls` command has a `--list` option that can list per resource. In order to look at the ACLs  for a particular principal the user needs to iterate through the entire list to figure out what privileges a particular principal has been granted. An option to list the ACL per principal would simplify this process."

We propose new optional argument "–principal" to list the ACLs for the specified principals.

Public Interfaces

kafka-acls.sh script with "--list" option supports optional argument "--principal" with the following specification

Code Block
    val listPrincipalsOpt = parser.accepts("principal", "List ACLs for the specified principal. principal is in principalType:name format." +
      " Note that principalType must be supported by the Authorizer being used. Multiple principal options can be passed.")
      .withOptionalArg()
      .describedAs("principal")
      .ofType(classOf[String])


Example:

Code Block
>> sh kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --principal User:User1 --principal User:User2
ACLs for principal `User:User1`
Current ACLs for resource `Group:PREFIXED:TEST_GROUP`:
 	User:User1 has Allow permission for operations: Read from hosts: *

Current ACLs for resource `Topic:PREFIXED:TEST_TOPIC`:
 	User:User1 has Allow permission for operations: Read from hosts: *
	User:User1 has Allow permission for operations: Create from hosts: *
	User:User1 has Allow permission for operations: Write from hosts: *
	User:User1 has Allow permission for operations: Describe from hosts: *


ACLs for principal `User:User2`
Current ACLs for resource `Group:PREFIXED:TEST_GROUP`:
 	User:User2 has Allow permission for operations: Read from hosts: *

Current ACLs for resource `Topic:PREFIXED:TEST_TOPIC`:
 	User:User2 has Allow permission for operations: Read from hosts: *
	User:User2 has Allow permission for operations: Create from hosts: *
	User:User2 has Allow permission for operations: Write from hosts: *
	User:User2 has Allow permission for operations: Describe from hosts: *

Proposed Changes

AclCommand with Authorizer Interface:

We have a method in Authorizer interface to get acls for a given principal.
We will use this method to fetch acls and filter the results for the requested Resources.

Authorizer {
def getAcls(principal: KafkaPrincipal): Map[Resource, Set[Acl]]
}

AclCommand with AdminClient API:

Currently AdminClient API doesn't have a API to fetch acls for a given principal.
So while using AclCommand with AdminClient API (KIP-332: Update AclCommand to use AdminClient API),
we just filter the results returned from the describeAcls API.

We can add new AdminClient API/new DescribeAclsRequest if required in futureDescribe the new thing you want to do in appropriate detail. This may be fairly extensive and have large subsections of its own. Or it may be a few sentences. Use judgement based on the scope of the change.

Compatibility, Deprecation, and Migration Plan

  • What impact (if any) will there be on existing users?
  • If we are changing behavior how will we phase out the older behavior?
  • If we need special migration tools, describe them here.
  • When will we remove the existing behavior?

Rejected Alternatives

...

  • There won't be any change of current behavior.