You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

co-authored-by: Mickael Maison <mickael.maison@gmail.com>

Status

Current state[Discuss]

Discussion thread: mail-archives.apache.org/... 

JIRA: KAFKA-6726 

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

The current ACL required for a CreateTopicsRequest is only on the singleton Cluster Resource, does not permit granular permissions (e.g. allow a user only to create a defined set of topics) and it is not symmetric with the permissions required for a DeleteTopicsRequest, which check Delete permission on the named Topic Resources.

This makes it currently impossible to allow a user to manage the lifecycle of a defined set of topics, as she/he will be able to create any topics, but not necessarily to delete all of them.

Proposed Changes

Change the current ACL check for creating a topic T, from CREATE on Cluster, to CREATE on Topic(T).

Change the AclCommand CLI tool so that the `–producer` convenience option manages the new needed ACL. 

Public Interfaces

On failure from an authorization check, CreateTopicsRequest will return with an error code of  TOPIC_AUTHORIZATION_FAILED(29) instead of CLUSTER_AUTHORIZATION_FAILED (31)

The script kafka-acls.sh will no longer accept --operation Create in combination with --cluster but will accept it in combination with --topic T

Compatibility, Deprecation, and Migration Plan

  • What impact (if any) will there be on existing users?
    • existing ACLs with CREATE permission on Cluster will not allow users to create topics anymore
  • If we need special migration tools, describe them here.
    • replacing CREATE Cluster ACLs with CREATE Topic *

Rejected Alternatives

An alternative that we want to discuss with the community is to favour compatibility rather than simplicity,
and consider existing "Create Cluster" permission as equivalent to "Create Any Topics", so that Create Cluster is allowed, skip the specific Create Topic check.

In that case for symmetry there could be a DELETE check on Cluster meaning delete any topics.


  • No labels