Took me awhile to find it but the link to the KIP is https://cwiki.apache.org/confluence/display/KAFKA/KIP-1042%3A+Support+for+wildcard+when+creating+new+acls
On Fri, May 3, 2024 at 10:13 AM Murali Basani <murali.bas...@gmail.com> wrote: > Hello, > > I'd like to propose a suggestion to our resource patterns in Kafka ACLs. > > Currently, when adding new ACLs in Kafka, we have two types of resource > patterns for topics: > > - LITERAL > - PREFIXED > > However, when it comes to listing or removing ACLs, we have a couple more > options: > > - MATCH > - ANY (will match any pattern type) > > > If we can extend creating acls as well with 'MATCH' pattern type, it would > be very beneficial. Even though this kind of acl should be created with > utmost care, it will help organizations streamline their ACL management > processes. > > Example scenarios : > > Let's say we need to create ACLs for the following six topics: > nl-accounts-localtopic, nl-accounts-remotetopic, de-accounts-localtopic, > de-accounts-remotetopic, cz-accounts-localtopic, cz-accounts-remotetopic > > Currently, we achieve this using existing functionality by creating three > prefixed ACLs as shown below: > > kafka-acls --bootstrap-server localhost:9092 \ > > --add \ > > --allow-principal > > > User:CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown > > \ > > --producer \ > > --topic nl-accounts- \ > > --resource-pattern-type prefixed > > > kafka-acls --bootstrap-server localhost:9092 \ > > --add \ > > --allow-principal > > > User:CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown > > \ > > --producer \ > > --topic de-accounts- \ > > --resource-pattern-type prefixed > > > kafka-acls --bootstrap-server localhost:9092 \ > > --add \ > > --allow-principal > > > User:CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown > > \ > > --producer \ > > --topic cz-accounts- \ > > --resource-pattern-type prefixed > > > However, if we had the 'MATCH' pattern type available, we could accomplish > this with a single ACL, as illustrated here: > > kafka-acls --bootstrap-server localhost:9092 \ > > --add \ > > --allow-principal > > > User:CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown > > \ > > --producer \ > > --topic *-accounts-* \ > > --resource-pattern-type match > > > > This pattern closely resembles PREFIXED but offers broader allow/deny > rules. > > Implementing this change could significantly reduce the effort in several > acl management processes. > > I welcome your thoughts and any concerns you may have regarding this > proposal. > > Thanks, > Murali > -- LinkedIn: http://www.linkedin.com/in/claudewarren
