...

Status

Current state: under discussionaccepted

Discussion thread: https://www.mail-archive.com/dev@kafka.apache.org/msg70858.html

JIRA:

Released: 0.11.0

Motivation

As part of the KIP-117 work to create an AdminClient for Kafka, we would like to have a way of adding, deleting, and listing the access control lists (ACLs) which are used to control access on Kafka topics and brokers.

...

• 0: unknown

• 1: any

• 2: topic

• 3: group

• 4: cluster

• 5: transactional_id

   

"Unknown" represents a resource type that we don't know how to decode.  "Any" can only be used in filters, and matches any resource type.

...

Because the arguments to CreateAclsRequest are concrete ACLs and not filters, they should not contain ANY or null fields.  They also should not contain UNKNOWN fields.  Resource names cannot be empty.  When the resource type is CLUSTER, the name must be "kafka-cluster".

DeleteAclsRequest and DeleteAclsResponse

...

If no authorizer is configured, and the user attempts to list, add, or remove ACLs, SecurityDisabledException will be thrown.  Its error code will be 53.

Compatibility Plan

Since there are no existing ACL APIs and requests, backwards compatibility is not an issue.  However, we still need to think about forwards compatibility.  The version of the AdminClient that we release in 0.11 should be able to interact with future versions of the broker.

...