While the vote is still in progress on the [VOTE] thread, (still needing an extra binding one :-) we have updated the PR to reflect the current KIP and noted that the check is performed on two distinct code paths: auto-creation and explicit creation of a topic.
Edo On 17 April 2018 at 18:30, Vahid S Hashemian <vahidhashem...@us.ibm.com> wrote: > Hi Edo, > > Thanks for addressing that concern in the KIP. > And I agree that in the long run the create cluster permission should be > deprecated. > > --Vahid > > > > > From: Edoardo Comar <eco...@uk.ibm.com> > To: dev@kafka.apache.org > Date: 04/17/2018 03:52 AM > Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics > API > > > > Thanks Vahid, > > as described in the rejected section, we wanted to get feedback on the > point : > > An alternative that we want to discuss with the community is to favour > compatibility rather than simplicity, > > and consider existing "Create Cluster" permission as equivalent to > "Create Any Topics", so that Create Cluster is allowed, skip the specific > Create Topic check. > > From the few replies so far, including yours, it seems that having a > composite check like > allowed = "has Create Cluster OR has Create Topic(TopicName) " > > is the preferred way to go for backward compatibility. > > Though we'd like to plan a deprecation for the Create Cluster check, if > wildcard support in ACLs will be added in the future. > > thoughts ? > > -------------------------------------------------- > > Edoardo Comar > > IBM Message Hub > > IBM UK Ltd, Hursley Park, SO21 2JN > > > > From: "Vahid S Hashemian" <vahidhashem...@us.ibm.com> > To: dev@kafka.apache.org > Date: 04/04/2018 16:41 > Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics > API > > > > Hi Edo, Mickael, > > The intent of this KIP seems to be rather similar to KIP-231 (Improve the > Required ACL of ListGroups API). > The feedback I received on that KIP was to allow for backward > compatibility, and, as a result, the Describe(Cluster) ACL was preserved; > and a Describe(Group) ACL was introduced. > I am wondering if both KIPs should follow the same principles in that > regard. > > Thanks. > --Vahid > > > > From: Edoardo Comar <eco...@uk.ibm.com> > To: dev <dev@kafka.apache.org> > Date: 03/29/2018 06:51 AM > Subject: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API > > > > Hi all, > > We have submitted KIP-277 to give users permission to manage the lifecycle > > > > of a defined set of topics; > the current ACL checks are for permission to create *any* topic and on > delete for permission against the *named* topics. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki. > apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine- > 2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg& > c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj- > kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s= > DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e= > > > > > Feedback and suggestions are welcome, thanks. > > Edo & Mickael > -------------------------------------------------- > > Edoardo Comar > > IBM Message Hub > > IBM UK Ltd, Hursley Park, SO21 2JN > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU > > > > > > > > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU > > > > > -- "When the people fear their government, there is tyranny; when the government fears the people, there is liberty." [Thomas Jefferson]
