I saw your reply in the other email. I meant that permissions the person managing brokers gives the user should be known a priori. Otherwise there would be security hole somewhere.
Cheers On Mon, Dec 4, 2017 at 3:47 PM, Vahid S Hashemian <vahidhashem...@us.ibm.com > wrote: > Hi Ted, > > Thanks for the feedback. I tried to address Dong's comments on an earlier > email. I hope that addresses your concern too. > If not, please continue with the discussion until we hopefully agree on > what (if anything) needs to be done. > > I'm also not sure if I understand your point about "The user should know > which group(s) he / she is allowed to describe." in relationship to the > KIP. Perhaps you can clarify? > > Thanks. > --Vahid > > > > > From: Ted Yu <yuzhih...@gmail.com> > To: dev@kafka.apache.org > Date: 12/04/2017 02:01 PM > Subject: Re: [DISCUSS] KIP-231: Improve the Required ACL of > ListGroups API > > > > I agree with Dong on maintaining the semantics. > > The user should know which group(s) he / she is allowed to describe. > > Cheers > > On Mon, Dec 4, 2017 at 1:40 PM, Dong Lin <lindon...@gmail.com> wrote: > > > Hey Vahid, > > > > Thanks for the KIP. If I understand the you correctly, you want client > to > > be able to list all the groups for which it currently has the describe > > access. > > > > As of now the ListGroupRequest does not allow user to specify the group. > If > > user does not have the Describe Cluster access, ListGroupResponse will > > return error. This KIP proposes to change the semantics of > > ListGroupsResponse such that ListGroupResponse will return the subset of > > groups for which the user has the Describe access. And if the does not > have > > Describe access to any group, ListGroupResponse will return an empty > list > > with no error. > > > > In my opinion this changes the semantics of ListGroupsResponse in a > > counter-intuitive way. Usually we use the ACL to determine whether the > > operation on the specified object can be performed or not. The response > > should provide either an error message or the result for the specified > > object. I couldn't remember a case where the ACL is used to filter the > > result without providing error. Do you think this could be a problem for > > this KIP? > > > > Thanks, > > Dong > > > > > > On Wed, Nov 29, 2017 at 3:18 PM, Vahid S Hashemian < > > vahidhashem...@us.ibm.com> wrote: > > > > > Completing the subject line :) > > > > > > > > > > > > From: "Vahid S Hashemian" <vahidhashem...@us.ibm.com> > > > To: dev <dev@kafka.apache.org> > > > Date: 11/29/2017 03:17 PM > > > Subject: [DISCUSS] KIP-231: > > > > > > > > > > > > Hi everyone, > > > > > > I started KIP-231 to propose a small change to the required ACL of > > > ListGroups API (in response to KAFKA-5638): > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.a > > > pache.org_confluence_display_KAFKA_KIP-2D231-253A-2BImprove- > > > 2Bthe-2BRequired-2BACL-2Bof-2BListGroups-2BAPI&d=DwIFAg&c= > > > jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJ > > > c7uSVcviKUc&m=XjHVTsIl7t-z0NBesB0U-ptMMm6mmpy3UqS8TjJM5yM&s= > > > eu378oaLvC0Wzbfcz15Rwo4nqdrO11ENLK6v9Kq9Z6w&e= > > > > > > Your feedback and suggestions are welcome! > > > > > > Thanks. > > > --Vahid > > > > > > > > > > > > > > > > > > > > > > > > > > > >
