You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Guozhang Wang <wa...@gmail.com> on 2018/06/27 18:42:41 UTC
Re: [VOTE] KIP-277 - Fine Grained ACL for CreateTopics API
Hello guys,
Sorry for being late on this KIP, but while incorporating the docs of 277
and 290 I'm wondering if we should be extending the authorization with
create topics on other operations with these two KIPs:
Previously, in SimpleAclAuthorizer, "read, write, delete, or alter implies
allowing describe", but not "create" as it can only be applied on
"CLUSTER". It means that users need to specify additional rules for those
topics even if they are created by themselves.
One example of this is Kafka Streams' internal topics, before 2.0, users
need to add "create CLUSTER" plus "read / write TOPIC_NAME_LITERAL" with a
secured cluster, and I've seen some common scenarios where they forgot to
add the latter and was thinking that the created topics will be
auto-granted with read/write permissions.
Would it be natural to allow:
1. prefix wildcard "create" to imply prefix wildcard "read / write /
describe" (debatable whether we want to add "delete" and "alter" as well).
2. cluster "create" to imply "read / write / describe" on topics created by
the same user.
Guozhang
On Fri, May 25, 2018 at 5:55 AM, Edoardo Comar <ed...@gmail.com> wrote:
> Thanks Ismael, noted on the KIP
>
> On 21 May 2018 at 18:29, Ismael Juma <is...@juma.me.uk> wrote:
> > Thanks for the KIP, +1 (binding). Can you also please describe the
> > compatibility impact of changing the error code from
> > CLUSTER_AUTHORIZATION_FAILED to TOPIC_AUTHORIZATION_FAILED?
> >
> > Ismael
> >
> > On Wed, Apr 25, 2018 at 2:45 AM Edoardo Comar <EC...@uk.ibm.com> wrote:
> >
> >> Hi,
> >>
> >> The discuss thread on KIP-277 (
> >> https://www.mail-archive.com/dev@kafka.apache.org/msg86540.html )
> >> seems to have been fruitful and concerns have been addressed, please
> allow
> >> me start a vote on it:
> >>
> >>
> >> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 277+-+Fine+Grained+ACL+for+CreateTopics+API
> >>
> >> I will update the small PR to the latest KIP semantics if the vote
> passes
> >> (as I hope :-).
> >>
> >> cheers
> >> Edo
> >> --------------------------------------------------
> >>
> >> Edoardo Comar
> >>
> >> IBM Message Hub
> >>
> >> IBM UK Ltd, Hursley Park, SO21 2JN
> >> Unless stated otherwise above:
> >> IBM United Kingdom Limited - Registered in England and Wales with number
> >> 741598.
> >> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
> 3AU
> >>
>
>
>
> --
> "When the people fear their government, there is tyranny; when the
> government fears the people, there is liberty." [Thomas Jefferson]
>
--
-- Guozhang
Re: [VOTE] KIP-277 - Fine Grained ACL for CreateTopics API
Posted by Edoardo Comar <EC...@uk.ibm.com>.
Hi Guozhang,
I am not sure we want to ensure that 'create' should implies 'read' and
'write'
as I can imagine an administrative role with authoprity to create/delete
but not to read (or write) topic data.
I would agree that 'create' should imply 'describe' though, as one such
admin should be able to know whether a topic exists.
Edoardo
--------------------------------------------------
Edoardo Comar
IBM Message Hub
IBM UK Ltd, Hursley Park, SO21 2JN
From: Guozhang Wang <wa...@gmail.com>
To: dev@kafka.apache.org
Date: 27/06/2018 19:42
Subject: Re: [VOTE] KIP-277 - Fine Grained ACL for CreateTopics API
Hello guys,
Sorry for being late on this KIP, but while incorporating the docs of 277
and 290 I'm wondering if we should be extending the authorization with
create topics on other operations with these two KIPs:
Previously, in SimpleAclAuthorizer, "read, write, delete, or alter implies
allowing describe", but not "create" as it can only be applied on
"CLUSTER". It means that users need to specify additional rules for those
topics even if they are created by themselves.
One example of this is Kafka Streams' internal topics, before 2.0, users
need to add "create CLUSTER" plus "read / write TOPIC_NAME_LITERAL" with a
secured cluster, and I've seen some common scenarios where they forgot to
add the latter and was thinking that the created topics will be
auto-granted with read/write permissions.
Would it be natural to allow:
1. prefix wildcard "create" to imply prefix wildcard "read / write /
describe" (debatable whether we want to add "delete" and "alter" as well).
2. cluster "create" to imply "read / write / describe" on topics created
by
the same user.
Guozhang
On Fri, May 25, 2018 at 5:55 AM, Edoardo Comar <ed...@gmail.com> wrote:
> Thanks Ismael, noted on the KIP
>
> On 21 May 2018 at 18:29, Ismael Juma <is...@juma.me.uk> wrote:
> > Thanks for the KIP, +1 (binding). Can you also please describe the
> > compatibility impact of changing the error code from
> > CLUSTER_AUTHORIZATION_FAILED to TOPIC_AUTHORIZATION_FAILED?
> >
> > Ismael
> >
> > On Wed, Apr 25, 2018 at 2:45 AM Edoardo Comar <EC...@uk.ibm.com>
wrote:
> >
> >> Hi,
> >>
> >> The discuss thread on KIP-277 (
> >>
https://www.mail-archive.com/dev@kafka.apache.org/msg86540.html
)
> >> seems to have been fruitful and concerns have been addressed, please
> allow
> >> me start a vote on it:
> >>
> >>
> >>
https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 277+-+Fine+Grained+ACL+for+CreateTopics+API
> >>
> >> I will update the small PR to the latest KIP semantics if the vote
> passes
> >> (as I hope :-).
> >>
> >> cheers
> >> Edo
> >> --------------------------------------------------
> >>
> >> Edoardo Comar
> >>
> >> IBM Message Hub
> >>
> >> IBM UK Ltd, Hursley Park, SO21 2JN
> >> Unless stated otherwise above:
> >> IBM United Kingdom Limited - Registered in England and Wales with
number
> >> 741598.
> >> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire
PO6
> 3AU
> >>
>
>
>
> --
> "When the people fear their government, there is tyranny; when the
> government fears the people, there is liberty." [Thomas Jefferson]
>
--
-- Guozhang
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU