Thanks Ismael, in the 'rejected' section we describe an approach that would allow for compatibility but we'd keep the authz checks simple rather than establish a precedent of a logical OR between different checks (cluster or topic(t)) .
What would be your ideal story for compatibility ? I prefer to think of wildcard support as a separate concern. And keep this KIP as simple as it is. Wildcard support could come from a more sophisticated implementation of the Authorizer; one that interprets the Resource name associated with ACLs in kafka.security.auth.Authorizer.addAcls(Set[Acl], Resource) as a regex to be matched against the actual Resource name in kafka.security.auth.Authorizer.authorize(RequestChannel.Session, Operation, Resource) Thoughts? cheers Edo -------------------------------------------------- Edoardo Comar IBM Message Hub IBM UK Ltd, Hursley Park, SO21 2JN From: Ismael Juma <ism...@juma.me.uk> To: dev <dev@kafka.apache.org> Date: 29/03/2018 21:37 Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API Sent by: isma...@gmail.com Thanks for the KIP. I think this is going in the right direction, but we need a better compatibility story. Also, it's worth considering whether we want to tackle better wildcard support at the same time. Ismael On Thu, Mar 29, 2018 at 6:51 AM, Edoardo Comar <eco...@uk.ibm.com> wrote: > Hi all, > > We have submitted KIP-277 to give users permission to manage the lifecycle > of a defined set of topics; > the current ACL checks are for permission to create *any* topic and on > delete for permission against the *named* topics. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D&d=DwIBaQ&c=jf_iaSHvJObTbx-siA1ZOg&r=EzRhmSah4IHsUZVekRUIINhltZK7U0OaeRo7hgW4_tQ&m=q1hztQq7OjhpHNkewaZcug47eAE6Rc0HTDHwzte4zyg&s=Pyt5ScR9iFsNT5o7O33csRafz0nbZEMckyHZgHWGp5w&e= > 277+-+Fine+Grained+ACL+for+CreateTopics+API > > Feedback and suggestions are welcome, thanks. > > Edo & Mickael > -------------------------------------------------- > > Edoardo Comar > > IBM Message Hub > > IBM UK Ltd, Hursley Park, SO21 2JN > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU > Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
