Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.

Status

Current stateUnder Discussion

Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread] 

JIRA: here [Change the link from KAFKA-1 to your own ticket]

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Public Interfaces

Briefly list any new interfaces that will be introduced as part of this proposal or any existing interfaces that will be removed or changed. The purpose of this section is to concisely call out the public contract that will come along with this feature.

A public interface is any change to the following:

  • Binary log format

  • The network protocol and api behavior

  • Any class in the public packages under clientsConfiguration, especially client configuration

    • org/apache/kafka/common/serialization

    • org/apache/kafka/common

    • org/apache/kafka/common/errors

    • org/apache/kafka/clients/producer

    • org/apache/kafka/clients/consumer (eventually, once stable)

  • Monitoring

  • Command line tools and arguments

  • Anything else that will likely break existing users in some way when they upgrade

Proposed Changes

...

12916

Motivation

Currently Kafka supports creation new topics through a CreateTopicsRequest or by auto creation during a topic MetadataRequest (if enabled on the cluster). Kafka supports ACLs for creation but currently the CREATE acl is used to grant access to both types of topic creations. This is problematic because it may be desirable to allow a user to auto create topics but not to be able to submit a create topic request. The difference is that auto creation will use the cluster defaults for the new topic settings but a topic creation request would allow the user to have control to configure all of the different topic settings which may not be what was intended. Using topic creation policies to control this doesn't work because the principal is not currently passed to the topic creation policy so if the topic creation policy was created to block explicit topic settings it would block it for all users as there would be no way to tell if it was a super user. There needs to be a way to also allow super users (or others given permission) could set explicit topic settings still.

Public Interfaces

Changes to AclOperation

The AclOperation class needs to have a new value added to the Enum:


enum AclOperation {

...
/**
* AUTO_CREATE operation.
*/
AUTO_CREATE((byte) 13);

}

Proposed Changes

The proposed change is to create a new ACL operation called AUTO_CREATE that will be checked to see if a user is authorized to auto create topics instead of using the existing CREATE operation. This new operation will apply both cluster wide (allowed to create a topic of any name) or topic wide (will validate by topic name or prefix). The CREATE operation will still be used for the existing CreateTopicsRequest command. Going forward this will allow an administrator to grant permission to auto create topics with cluster defaults but not to explicitly create topics.

The goals of this change:

  1. Allow admins or super users the ability to create topics and also set explicit configs on the new topics.
  2. Allow some users the ability to auto-create topics but not set explicit configs (only given cluster defaults).
  3. Deny creation of topics entirely to other users.

Compatibility, Deprecation, and Migration Plan

  • What impact (if any) will there be on existing users?
  • If we are changing behavior how will we phase out the older behavior?
  • If we need special migration tools, describe them here.
  • When will we remove the existing behavior?

Rejected Alternatives

This change will be fully backwards compatible and will not break existing users. The AclAuthorizer class will be updated so that any user that is granted the CREATE operation will also imply AUTO_CREATE. This means that any existing configurations that grant CREATE will still work because when the new check is done for AUTO_CREATE the CREATE operation will be implied and return true.

Rejected Alternatives

The API could be changed such that CreateTopicPolicy (and also AlterConfigPolicy) could have the principal passed as part of the validation request. This could possibly work but is much more limited and I think using the built in ACL mechanism that already exists seems like a better solution as this is really a permission issue that is trying to be solved. While passing the principal to the policy gives the policy the ability to know who is making the request, only the ACL authorizer has all the information loaded to make permissions decisions and that still wouldn't be available to the create topic policy. Without the ACL authorizer the best you could do would be just check if a super user which is better but still doesn't solve the whole problem if you want to grant non super users the ability to create topics explicitly for certain topic prefixesIf there are alternative ways of accomplishing the same thing, what were they? The purpose of this section is to motivate why the design is the way it is and not some other way.