co-authored-by: Mickael Maison <mickael.maison@gmail.com>
Status
Current state: [Draft]
Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]
JIRA: KAFKA-6726
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
The current ACL required for a CreateTopicsRequest
is only on the singleton Cluster Resource, does not permit granular permissions (e.g. allow a user only to create a defined set of topics) and it is not symmetric with the permissions required for a DeleteTopicsRequest
, which check Delete permission on the named Topic Resources.
This makes it currently impossible to allow a user to manage the lifecycle of a defined set of topics, as she/he will be able to create any topics, but not necessarily to delete all of them.
Proposed Changes
Change the current ACL check for creating a topic T, from CREATE on Cluster, to CREATE on Topic(T).
Change the AclCommand CLI tool so that the `–producer
` convenience option manages the new needed ACL.
Public Interfaces
On failure from an authorization check, CreateTopicsRequest
will return with an error code of TOPIC_AUTHORIZATION_FAILED
(29) instead of CLUSTER_AUTHORIZATION_FAILED
(31)
The script kafka-acls.sh
will no longer accept --operation Create
in combination with --cluster
but will accept it in combination with --topic T
Compatibility, Deprecation, and Migration Plan
- What impact (if any) will there be on existing users?
- existing ACLs with CREATE permission on Cluster will not allow users to create topics anymore
- If we need special migration tools, describe them here.
- replacing
CREATE Cluster ACLs
withCREATE Topic *
- replacing
Rejected Alternatives
An alternative that we want to discuss with the community is to favour compatibility rather than simplicity,
and consider existing "Create Cluster" permission as equivalent to "Create Any Topics", so that Create Cluster is allowed, skip the specific Create Topic check.
In that case for symmetry there could be a DELETE check on Cluster meaning delete any topics.