Hi Edoardo, Permissions on the Cluster singleton are very powerful. For example, ALTER CLUSTER gives you the ability to add or remove any other ACLs you like (essentially unlimited permissions). ALTERCONFIGS CLUSTER give syou the ability to reconfigure the brokers, and so forth. The general idea is that administrators have the ability to do things to the whole cluster, regular users don't. So it seems logical for CREATE CLUSTER to continue to allow the administrator to create things such as topics. I don't think we should remove this permission.
I think the reason why CreateTopics requires CREATE CLUSTER is that creating topics was considered something that only an administrator would want to do. If we want regular applications to be able to create topics as well, we should think carefully about what their usage pattern would be. Would they create topics with names that are known to the administrator ahead of time? Or would the topic names be hard to predict? Do they need to be sandboxed in some other way (i.e. don't allow a lower-privileged app to create a topic with 10,000 partitions on 1,000 brokers). We don't have the concept of the "owner" of a topic, so deletion becomes clunky. Perhaps someone gave me CREATE CLUSTER permission, but no DELETE TOPIC permissions. So I can create lots and lots of topics, but never delete anything. If the admin doesn't know ahead of time what topic names I'll be creating, the admin's choice is to give me no delete permissions, or to give me DELETE TOPIC * -- neither of which are good choices. best, Colin On Thu, Mar 29, 2018, at 06:51, Edoardo Comar wrote: > Hi all, > > We have submitted KIP-277 to give users permission to manage the lifecycle > of a defined set of topics; > the current ACL checks are for permission to create *any* topic and on > delete for permission against the *named* topics. > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-277+-+Fine+Grained+ACL+for+CreateTopics+API > > Feedback and suggestions are welcome, thanks. > > Edo & Mickael > -------------------------------------------------- > > Edoardo Comar > > IBM Message Hub > > IBM UK Ltd, Hursley Park, SO21 2JN > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
