THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
The goals of this change:1)
- Allow admins or super users the ability to create topics and also set explicit configs on the new topics.
...
- Allow some users the ability to auto-create topics but not set explicit configs (only given cluster defaults).
...
- Deny creation of topics entirely to other users.
Compatibility, Deprecation, and Migration Plan
...
The API could be changed such that CreateTopicPolicy (and also AlterConfigPolicy) could have the principal passed as part of the validation request. This could possibly work but is much more limited and I think using the built in ACL mechanism that already exists seems like a better solution as this is really a permission issue that is trying to be solved. However, this approach could be used instead of if the community wants to go this routeWhile passing the principal to the policy gives the policy the ability to know who is making the request, only the ACL authorizer has all the information loaded to make permissions decisions and that still wouldn't be available to the create topic policy. Without the ACL authorizer the best you could do would be just check if a super user which is better but still doesn't solve the whole problem if you want to grant non super users the ability to create topics explicitly for certain topic prefixes.