Hi Grant, This looks good to me. One minor comment. You mention that "delete" actions will get processed before "add" actions, which makes sense to me. An alternative to avoid the confusion in the first place would be to replace the AlterAcls APIs with separate AddAcls and DeleteAcls APIs. Was this option already rejected?
Thanks, Jason On Thu, Jul 21, 2016 at 7:57 AM, Grant Henke <ghe...@cloudera.com> wrote: > Anyone else have any feedback on this protocol and implementation? I plan > to start a vote soon. > > Thank you, > Grant > > On Fri, Jul 15, 2016 at 1:04 PM, Gwen Shapira <g...@confluent.io> wrote: > > > > My goal in the protocol design was to keep the request simple and be > able > > > to answer what I think are the 3 most common questions/requests > > > > > > - What ACLs are on the cluster? > > > - What access do I/they have? > > > - Who has access to this resource? > > > > Thanks for clarifying. I think this is good. Perhaps just document > > this goal next to the protocol for the record :) > > > > > Isn't KIP-50 itself one gigantic compatibility concern? I don't see > > >> how your suggestions make it any worse... > > > > > > > > > > > >> Yes, I also think we should take this chance to improve the > Authorizer > > interface > > >> to make it more suitable for the ACL Admin requests. > > > > > > > > > I agree we can address this in KIP-50. What I was getting at was that I > > > wanted to handle that discussion there. We voted on KIP-50 before 0.10 > > was > > > released with the intention that we could get it in. Now that 0.10 is > > > released and a longer time has gone by I am not sure if the opinion of > > > "breaking is okay" has changed. I will always prefer a backward > > compatible > > > approach if possible. > > > > Well, the entire KIP-50 discussion - both regarding compatibility and > > possible increased scope is probably out of context here. Especially > > since this proposal was written carefully to avoid any assumptions > > regarding other work. I suggest taking this in a separate thread. > > > > Gwen > > > > > Thank you, > > > Grant > > > > > > > > > On Fri, Jul 15, 2016 at 7:22 AM, Ismael Juma <ism...@juma.me.uk> > wrote: > > > > > >> On Fri, Jul 15, 2016 at 6:45 AM, Gwen Shapira <g...@confluent.io> > > wrote: > > >> > > > >> > >> - I suggest this be addressed in KIP-50 as well, though > it > > >> has > > >> > >> some compatibility concerns. > > >> > > > >> > Isn't KIP-50 itself one gigantic compatibility concern? I don't see > > >> > how your suggestions make it any worse... > > >> > > > >> > > >> Yes, I also think we should take this chance to improve the Authorizer > > >> interface to make it more suitable for the ACL Admin requests. > > >> > > >> Ismael > > >> > > > > > > > > > > > > -- > > > Grant Henke > > > Software Engineer | Cloudera > > > gr...@cloudera.com | twitter.com/gchenke | linkedin.com/in/granthenke > > > > > > -- > Grant Henke > Software Engineer | Cloudera > gr...@cloudera.com | twitter.com/gchenke | linkedin.com/in/granthenke >
