Yes, owners and the renewers can always describe their own tokens. Updated the KIP.
On Sat, Feb 11, 2017 at 3:12 AM, Jun Rao <j...@confluent.io> wrote: > Hi, Mani, > > Thanks for the update. Just a minor comment below. Otherwise, +1 from me. > > > > > > > > > > 116. Could you document the ACL rules associated with those new > requests? > > > For example, do we allow any one to create, delete, describe delegation > > > tokens? > > > > > > > > Currently we only allow a owner to create delegation token for that owner > > only. > > Any thing the owner has permission to do, delegation tokens should be > > allowed to do as well. We can also check renew and expire requests are > > coming > > from owner or renewers of the token. So we may not need ACLs for > > create/renew/expire requests. > > > > For describe, we can add DESCRIBE operation on TOKEN Resource. In future, > > when we extend > > the support to allow a user to acquire delegation tokens for other users, > > then we can enable > > CREATE/DELETE operations. Updated the KIP. > > > > > This sounds good. I guess the owner and the renewer can always describe > their own tokens? > > Jun >
