...
co-authored-by: Mickael Maison <mickael.maison@gmail.com>
Status
Current state: [Discuss]APPROVED - voting thread
Discussion thread: mail-archives.apache.org/...
...
Change the current ACL check for creating a topic T, from CREATE on Cluster,
to CREATE on Cluster OR CREATE on Topic(T)
.
Note that the check is performed on two execution paths : explicit creation and auto creation of a topic.
Change the AclCommand CLI tool so that the `–producer
` convenience option uses the new finer grained ACL on a given topic.
...
- What impact (if any) will there be on existing users?
- existing ACLs with CREATE permission on Cluster will still allow users to create any topics
- clients expecting an error in CreateTopicResponse will receive
TOPIC_AUTHORIZATION_FAILED
(29) instead ofCLUSTER_AUTHORIZATION_FAILED
(31).
in the Java client, both are mapped to subclasses of AuthorizationException;
handling any auth error likely requires human intervention.
- If we need special migration tools, describe them here.
- not needed
...