bq. you too are concerned about the current delete record/topic limitation Yes. I think this is a security hole.
On Tue, Apr 3, 2018 at 9:37 AM, Mickael Maison <mickael.mai...@gmail.com> wrote: > Yes this is indeed a typo! > > And yes we're considering filing another KIP but I thought collecting > all our feedback and providing a full summary might be beneficial for > others. > I see you too are concerned about the current delete record/topic > limitation. > > On Tue, Apr 3, 2018 at 5:26 PM, Ted Yu <yuzhih...@gmail.com> wrote: > > bq. There is now way to distinguish between topic and record deletion. > > > > I guess you meant 'no way' above. > > I think deleting a topic has higher impact than deleting records. > > > > Have you considered filing KIP to distinguish the two operations ? > > > > Cheers > > > > On Tue, Apr 3, 2018 at 9:22 AM, Mickael Maison <mickael.mai...@gmail.com > > > > wrote: > > > >> Hi all, > >> > >> Over the past few months the IBM Message Hub team has "played quite a > >> bit" with the pluggable Authorizer interface and I'll try to give a > >> summary of our findings. > >> > >> First when implementing a custom Authorizer, we found it hard having a > >> global view of all the Resource/Operation required for each ApiKey. We > >> ended up building a table (by looking at KafkaApis.scala) of all the > >> combinations that can be triggered. We posted this table in the wiki, > >> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Authorizations, > >> hopefully that will help others too. > >> > >> We found the overview it provides necessary and it should probably be > >> in the docs/javadocs. > >> > >> The biggest limitation for us were the permissions required to create > >> topics. This is what we targeted with KIP-277: > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP- > >> 277+-+Fine+Grained+ACL+for+CreateTopics+API > >> > >> Some of our other findings: > >> - There is now way to distinguish between topic and record deletion. > >> If a Principal has Delete on a Topic, it can do both. With regulations > >> like GDPR, we can expect the DeleteRecords API to gain popularity and > >> it's a bit scary that it also allows to delete the topic. > >> - We also can't distinguish between DescribeLogDirs, DescribeAcls and > >> ListGroups as they both require Describe on the Cluster resource. > >> While ListGroups is pretty common for "normal" users, the other 2 are > >> a bit more on the admin side. > >> - OffsetCommit only requires Read on Group even though it's > >> technically a write operation. I think this was already discussed at > >> some point on the mailing list. > >> > >> Changing permissions is an expensive process and so far we've not > >> attempted to come up with alternatives (apart from KIP-277). There is > >> also a balance between granularity and ease of use, requiring > >> administrators to set and maintain many permissions is not really an > >> improvement! > >> > >> Thanks > >> >
