Table of Contents |
---|
Status
Current state: Under Discussion Approved
Discussion thread: DISCUSS DISCUSS+VOTE
JIRA: KAFKA-13646
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
Key Name | Description | Valid Values | Default Value |
---|---|---|---|
early.start.listeners | A list of listeners which we want to start as early as possible. This is useful in cases where the startup process requires some listeners to be open before other listeners can be brought up. In general, a listener should not appear in this list if it accepts external traffic. | A comma-separated list of listener names | The controller listener, if one is present (i.e., if we are in KRaft mode). |
super.users | Just as in AclAuthorizer, this is a semi-colon separated list of users that will be treated as super users. | A comma-separated list of user names | Empty |
allow.everyone.if.no.acl.found | Just as in AclAuthorizer, if this is set to true, in the case when no acls are found for a resource, the authorizer allows access to everyone. | true | false | false |
New Error Codes
...
EnvelopeRequest
We will bump the version of EnvelopeRequest to reflect the fact that it can now return a new error code: AUTHORIZER_NOT_READY
...
. This error code will only ever be returned from early start endpoints. It indicates that the operation could not be performed because the Authorizer
...
has not fully initialized yet, as described in the previous section about "early start listeners."
As described in KIP-590, brokers use EnvelopeRequest to forward user requests to KRaft controllers. When the broker gets back an AUTHORIZER_NOT_READY error for a forwarded request, it should wait for a while and then try to forward the request again. This is basically the same behavior as the what the broker does when there is a network error when forwarding a request. At some point, of course, the request will time out.
If the version of EnvelopeRequest is too old, then the controller will return UNKNOWN_SERVER_EXCEPTION instead.
Since the controller uses ApiVersions to determine what RPC versions to use, rather than consulting the IBP, we do not need to bump the IBP to make this change
...
.
Metadata Shell
The metadata shell will support examining KRaft ACLs. Each ACL will appear in /acl/id/<uuid> in its JSON form.
New Metrics
In order to improve manageability, we will add a new metric, AclCount.
Attribute Name | Value | Notes |
---|---|---|
kafka.server:type=Authorizer,name=AclCount | Current number of ACLs | For combined nodes, this is the count from the controller authorizer, not the broker authorizer. |
New Authorizer Function
In order to support the AclCount metric, we will extend the Authorizer API with a new aclCount function.
Code Block | ||
---|---|---|
| ||
int aclCount() |
In order to preserve compatibility, this function will default to returning -1, so that existing Authorizer subclasses will continue to work. Authorizers that expose this metric should override this function with the correct value.
Compatibility, Deprecation, and Migration Plan
...