Thanks Tom for the question! I'm not super familiar with the Principal stuff, could you elaborate more on the two points you proposed here?
I looked up Admin client and just take `createDelegationToken` API for an example, the request data encodes the principal information already, so broker should also leverage that information to proxy the request IMHO. Boyang On Mon, Apr 6, 2020 at 9:21 AM Tom Bentley <tbent...@redhat.com> wrote: > Hi Boyang, > > Thanks for the KIP! > > When a broker proxies a request to the controller how does the > authenticated principal get propagated? I think a couple of things might > complicate this: > > 1. A PrincipalBuilder might be in use, > 2. A Principal does not have to be serializable. > > > Kind regards, > > Tom > > On Sat, Apr 4, 2020 at 12:52 AM Boyang Chen <reluctanthero...@gmail.com> > wrote: > > > Hey all, > > > > I would like to start off the discussion for KIP-590, a follow-up > > initiative after KIP-500: > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-590%3A+Redirect+Zookeeper+Mutation+Protocols+to+The+Controller > > > > This KIP proposes to migrate existing Zookeeper mutation paths, including > > configuration, security and quota changes, to controller-only by always > > routing these alterations to the controller. > > > > Let me know your thoughts! > > > > Best, > > Boyang > > >
