Versions Compared

Old Version 3

changes.mady.by.user Edoardo Comar

Saved on

compared with

New Version Current

changes.mady.by.user Edoardo Comar

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

co-authored-by: Mickael Maison <mickael.maison@gmail.com>

Status

Current state[Draft]APPROVED -  voting thread

Discussion thread: mail-archives.apache.org/... here [Change the link from the KIP proposal email archive to your own email thread]

JIRA: KAFKA-6726 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

...

Change the current ACL check for creating a topic T, from CREATE on Cluster, to CREATE on Cluster OR CREATE on Topic(T).

Note that the check is performed on two execution paths : explicit creation and auto creation of a topic.

Change the AclCommand CLI tool so that the `–producer` convenience option manages uses the new needed ACLfiner grained ACL on a given topic

Public Interfaces

On failure from an authorization check, CreateTopicsRequest will return with an error code of  TOPIC_AUTHORIZATION_FAILED(29) instead of CLUSTER_AUTHORIZATION_FAILED (31)

The script kafka-acls.sh will no longer also accept --operation Create in combination with --cluster but will accept it in combination with --topic T

Compatibility, Deprecation, and Migration Plan

  • What impact (if any) will there be on existing users?
    • existing ACLs with CREATE permission on Cluster will not still allow users to create topics anymoreany topics 
    • clients expecting an error in CreateTopicResponse will receive TOPIC_AUTHORIZATION_FAILED(29) instead of CLUSTER_AUTHORIZATION_FAILED (31).
      in the Java client, both are mapped to subclasses of AuthorizationException;
      handling any auth error likely requires human intervention.
  • If we need special migration tools, describe them here.
    • replacing CREATE Cluster ACLs with CREATE Topic *not needed

Rejected Alternatives

An alternative that we want to discuss with the community is to favour compatibility rather than simplicity,
and consider existing "Create Cluster" permission as equivalent to "Create Any Topics", so that Create Cluster is allowed, skip the specific Create Topic check.

...

  • Rejected the proposal of only checking for CREATE on Topic(T), (i.e. not checking anymore for CREATE on CLUSTER) because of backward compatibility.
  • Rejected the idea of having, for symmetry, a DELETE check on Cluster meaning allowed to delete any topics. The resource value ANY should be used instead for the topic.