Re: [DISCUSS] KIP-4 ACL Admin Schema

Grant, For your second comment, when propagating the ZK changes to acl cache, we will also update the latest ZK version. So, if ACL requests are not issued too quickly, the conditional updates to ZK should always be successful in one try. One potential benefit of serving the ACL request from any

Re: [DISCUSS] KIP-4 ACL Admin Schema

Thanks for the feedback. Below are some responses: > I don't have any problem with breaking things into 2 requests if it's > necessary or optimal. But can you explain why separate requests "vastly > simplifies the broker side implementation"? It doesn't seem like it should > be particularly compl

Re: [DISCUSS] KIP-4 ACL Admin Schema

On Mon, Aug 8, 2016 at 2:44 PM, Grant Henke wrote: > Thank you for the feedback everyone. Below I respond to the last batch of > emails: > > You mention that "delete" actions > > will get processed before "add" actions, which makes sense to me. An > > alternative to avoid the confusion in the fir

Re: [DISCUSS] KIP-4 ACL Admin Schema

Grant, Thanks for the reply. I had one inline reply below. On Mon, Aug 8, 2016 at 2:44 PM, Grant Henke wrote: > Thank you for the feedback everyone. Below I respond to the last batch of > emails: > > You mention that "delete" actions > > will get processed before "add" actions, which makes sens

Re: [DISCUSS] KIP-4 ACL Admin Schema

Thank you for the feedback everyone. Below I respond to the last batch of emails: You mention that "delete" actions > will get processed before "add" actions, which makes sense to me. An > alternative to avoid the confusion in the first place would be to replace > the AlterAcls APIs with separate

Re: [DISCUSS] KIP-4 ACL Admin Schema

In the database world (Resource, ACL) pair is typically called a "grant". (sorry) You "grant" permission on a resource to a user. http://dev.mysql.com/doc/refman/5.7/en/show-grants.html Gwen On Fri, Jul 22, 2016 at 4:13 AM, Jim Jagielski wrote: > >> On Jul 21, 2016, at 10:57 PM, Ismael Juma

Re: [DISCUSS] KIP-4 ACL Admin Schema

Grant, Thanks for the writeup. Is there any benefit for sending the AlterAcls request to the controller? The controller is currently only designed for sending topic level metadata. Jun On Thu, Jul 14, 2016 at 9:09 AM, Grant Henke wrote: > The KIP-4 Delete Topic Schema vote has passed and the p

Re: [DISCUSS] KIP-4 ACL Admin Schema

Re: 4 and Create/Delete vs Alter, I'm a fan of being able to bundle a bunch of changes in one request. Seems like an ACL change could easily include additions + deletions and is nice to bundle in one request that can be processed as quickly as possible. I don't think its a requirement, but the usag

Re: [DISCUSS] KIP-4 ACL Admin Schema

> On Jul 21, 2016, at 10:57 PM, Ismael Juma wrote: > > Hi Grant, > > Thanks for the KIP. A few questions and comments: > > 1. My main concern is that we are skipping the discussion on the desired > model for controlling ACL access and updates. I understand the desire to > reduce the scope, bu

Re: [DISCUSS] KIP-4 ACL Admin Schema

Hi Grant, Thanks for the KIP. A few questions and comments: 1. My main concern is that we are skipping the discussion on the desired model for controlling ACL access and updates. I understand the desire to reduce the scope, but this seems to be a fundamental aspect of the design that we need to

Re: [DISCUSS] KIP-4 ACL Admin Schema

Hi Grant, This looks good to me. One minor comment. You mention that "delete" actions will get processed before "add" actions, which makes sense to me. An alternative to avoid the confusion in the first place would be to replace the AlterAcls APIs with separate AddAcls and DeleteAcls APIs. Was thi

Re: [DISCUSS] KIP-4 ACL Admin Schema

Anyone else have any feedback on this protocol and implementation? I plan to start a vote soon. Thank you, Grant On Fri, Jul 15, 2016 at 1:04 PM, Gwen Shapira wrote: > > My goal in the protocol design was to keep the request simple and be able > > to answer what I think are the 3 most common qu

Re: [DISCUSS] KIP-4 ACL Admin Schema

> My goal in the protocol design was to keep the request simple and be able > to answer what I think are the 3 most common questions/requests > >- What ACLs are on the cluster? >- What access do I/they have? >- Who has access to this resource? Thanks for clarifying. I think this is goo

Re: [DISCUSS] KIP-4 ACL Admin Schema

Thank you for the review Gwen, Manikumar, & Ismael. See my responses below: I am a bit confused about specifying resources. > resource_type is something like "TOPIC" and resource_name is a name of > a specific topic? This resource is a protocol representation of the existing Resource

Re: [DISCUSS] KIP-4 ACL Admin Schema

On Fri, Jul 15, 2016 at 6:45 AM, Gwen Shapira wrote: > > >> - I suggest this be addressed in KIP-50 as well, though it has > >> some compatibility concerns. > > Isn't KIP-50 itself one gigantic compatibility concern? I don't see > how your suggestions make it any worse... > Yes,

Re: [DISCUSS] KIP-4 ACL Admin Schema

Hi, Can we allow ListAcls to take list of resources? This may help when we have many associated resources under same principal. Thanks Manikumar On Fri, Jul 15, 2016 at 11:15 AM, Gwen Shapira wrote: > Thank you, Grant. This is lovely :) > > Few comments / requests for clarifications below: >

Re: [DISCUSS] KIP-4 ACL Admin Schema

Thank you, Grant. This is lovely :) Few comments / requests for clarifications below: >> ListAcls Request (Version: 0) => principal resource >> principal => NULLABLE_STRING >> resource => resource_type resource_name >> resource_type => INT8 >> resource_name => STRING I am a bit conf

[DISCUSS] KIP-4 ACL Admin Schema

The KIP-4 Delete Topic Schema vote has passed and the patch is available for review. Now I would like to start the discussion for the Acls request/response and server side implementations. This includes the ListAclsRequest/Response and the AlterAclsReques