Thanks Ismael, in the 'rejected' section we describe an approach that would allow for compatibility but we'd keep the authz checks simple rather than establish a precedent of a logical OR between different checks (cluster or topic(t)) .
What would be your ideal story for compatibility ? I prefer to think of wildcard support as a separate concern. And keep this KIP as simple as it is. Wildcard support could come from a more sophisticated implementation of the Authorizer; one that interprets the Resource name associated with ACLs in kafka.security.auth.Authorizer.addAcls(Set[Acl], Resource) as a regex to be matched against the actual Resource name in kafka.security.auth.Authorizer.authorize(RequestChannel.Session, Operation, Resource) Thoughts? cheers Edo -------------------------------------------------- Edoardo Comar IBM Message Hub IBM UK Ltd, Hursley Park, SO21 2JN From: Ismael Juma <[email protected]> To: dev <[email protected]> Date: 29/03/2018 21:37 Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API Sent by: [email protected] Thanks for the KIP. I think this is going in the right direction, but we need a better compatibility story. Also, it's worth considering whether we want to tackle better wildcard support at the same time. Ismael On Thu, Mar 29, 2018 at 6:51 AM, Edoardo Comar <[email protected]> wrote: > Hi all, > > We have submitted KIP-277 to give users permission to manage the lifecycle > of a defined set of topics; > the current ACL checks are for permission to create *any* topic and on > delete for permission against the *named* topics. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D&d=DwIBaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=EzRhmSah4IHsUZVekRUIINhltZK7U0OaeRo7hgW4_tQ&m=q1hztQq7OjhpHNkewaZcug47eAE6Rc0HTDHwzte4zyg&s=Pyt5ScR9iFsNT5o7O33csRafz0nbZEMckyHZgHWGp5w&e= > 277+-+Fine+Grained+ACL+for+CreateTopics+API > > Feedback and suggestions are welcome, thanks. > > Edo & Mickael > -------------------------------------------------- > > Edoardo Comar > > IBM Message Hub > > IBM UK Ltd, Hursley Park, SO21 2JN > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU > Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
