Thanks Vahid, as described in the rejected section, we wanted to get feedback on the point : > An alternative that we want to discuss with the community is to favour compatibility rather than simplicity, > and consider existing "Create Cluster" permission as equivalent to "Create Any Topics", so that Create Cluster is allowed, skip the specific Create Topic check.
>From the few replies so far, including yours, it seems that having a composite check like allowed = "has Create Cluster OR has Create Topic(TopicName) " is the preferred way to go for backward compatibility. Though we'd like to plan a deprecation for the Create Cluster check, if wildcard support in ACLs will be added in the future. thoughts ? -------------------------------------------------- Edoardo Comar IBM Message Hub IBM UK Ltd, Hursley Park, SO21 2JN From: "Vahid S Hashemian" <vahidhashem...@us.ibm.com> To: dev@kafka.apache.org Date: 04/04/2018 16:41 Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API Hi Edo, Mickael, The intent of this KIP seems to be rather similar to KIP-231 (Improve the Required ACL of ListGroups API). The feedback I received on that KIP was to allow for backward compatibility, and, as a result, the Describe(Cluster) ACL was preserved; and a Describe(Group) ACL was introduced. I am wondering if both KIPs should follow the same principles in that regard. Thanks. --Vahid From: Edoardo Comar <eco...@uk.ibm.com> To: dev <dev@kafka.apache.org> Date: 03/29/2018 06:51 AM Subject: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API Hi all, We have submitted KIP-277 to give users permission to manage the lifecycle of a defined set of topics; the current ACL checks are for permission to create *any* topic and on delete for permission against the *named* topics. https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e= Feedback and suggestions are welcome, thanks. Edo & Mickael -------------------------------------------------- Edoardo Comar IBM Message Hub IBM UK Ltd, Hursley Park, SO21 2JN Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
