You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Vahid S Hashemian <va...@us.ibm.com> on 2018/04/04 15:40:54 UTC
Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
Hi Edo, Mickael,
The intent of this KIP seems to be rather similar to KIP-231 (Improve the
Required ACL of ListGroups API).
The feedback I received on that KIP was to allow for backward
compatibility, and, as a result, the Describe(Cluster) ACL was preserved;
and a Describe(Group) ACL was introduced.
I am wondering if both KIPs should follow the same principles in that
regard.
Thanks.
--Vahid
From: Edoardo Comar <EC...@uk.ibm.com>
To: dev <de...@kafka.apache.org>
Date: 03/29/2018 06:51 AM
Subject: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
Hi all,
We have submitted KIP-277 to give users permission to manage the lifecycle
of a defined set of topics;
the current ACL checks are for permission to create *any* topic and on
delete for permission against the *named* topics.
https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=
Feedback and suggestions are welcome, thanks.
Edo & Mickael
--------------------------------------------------
Edoardo Comar
IBM Message Hub
IBM UK Ltd, Hursley Park, SO21 2JN
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
Posted by Edoardo Comar <ed...@gmail.com>.
While the vote is still in progress on the [VOTE] thread, (still needing an
extra binding one :-)
we have updated the PR to reflect the current KIP and noted that the check
is performed on two distinct code paths: auto-creation and explicit
creation of a topic.
Edo
On 17 April 2018 at 18:30, Vahid S Hashemian <va...@us.ibm.com>
wrote:
> Hi Edo,
>
> Thanks for addressing that concern in the KIP.
> And I agree that in the long run the create cluster permission should be
> deprecated.
>
> --Vahid
>
>
>
>
> From: Edoardo Comar <EC...@uk.ibm.com>
> To: dev@kafka.apache.org
> Date: 04/17/2018 03:52 AM
> Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
> API
>
>
>
> Thanks Vahid,
>
> as described in the rejected section, we wanted to get feedback on the
> point :
> > An alternative that we want to discuss with the community is to favour
> compatibility rather than simplicity,
> > and consider existing "Create Cluster" permission as equivalent to
> "Create Any Topics", so that Create Cluster is allowed, skip the specific
> Create Topic check.
>
> From the few replies so far, including yours, it seems that having a
> composite check like
> allowed = "has Create Cluster OR has Create Topic(TopicName) "
>
> is the preferred way to go for backward compatibility.
>
> Though we'd like to plan a deprecation for the Create Cluster check, if
> wildcard support in ACLs will be added in the future.
>
> thoughts ?
>
> --------------------------------------------------
>
> Edoardo Comar
>
> IBM Message Hub
>
> IBM UK Ltd, Hursley Park, SO21 2JN
>
>
>
> From: "Vahid S Hashemian" <va...@us.ibm.com>
> To: dev@kafka.apache.org
> Date: 04/04/2018 16:41
> Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
> API
>
>
>
> Hi Edo, Mickael,
>
> The intent of this KIP seems to be rather similar to KIP-231 (Improve the
> Required ACL of ListGroups API).
> The feedback I received on that KIP was to allow for backward
> compatibility, and, as a result, the Describe(Cluster) ACL was preserved;
> and a Describe(Group) ACL was introduced.
> I am wondering if both KIPs should follow the same principles in that
> regard.
>
> Thanks.
> --Vahid
>
>
>
> From: Edoardo Comar <EC...@uk.ibm.com>
> To: dev <de...@kafka.apache.org>
> Date: 03/29/2018 06:51 AM
> Subject: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
>
>
>
> Hi all,
>
> We have submitted KIP-277 to give users permission to manage the lifecycle
>
>
>
> of a defined set of topics;
> the current ACL checks are for permission to create *any* topic and on
> delete for permission against the *named* topics.
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.
> apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-
> 2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&
> c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-
> kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=
> DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=
>
>
>
>
> Feedback and suggestions are welcome, thanks.
>
> Edo & Mickael
> --------------------------------------------------
>
> Edoardo Comar
>
> IBM Message Hub
>
> IBM UK Ltd, Hursley Park, SO21 2JN
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
>
>
>
>
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
>
>
>
>
--
"When the people fear their government, there is tyranny; when the
government fears the people, there is liberty." [Thomas Jefferson]
Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
Posted by Vahid S Hashemian <va...@us.ibm.com>.
Hi Edo,
Thanks for addressing that concern in the KIP.
And I agree that in the long run the create cluster permission should be
deprecated.
--Vahid
From: Edoardo Comar <EC...@uk.ibm.com>
To: dev@kafka.apache.org
Date: 04/17/2018 03:52 AM
Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
API
Thanks Vahid,
as described in the rejected section, we wanted to get feedback on the
point :
> An alternative that we want to discuss with the community is to favour
compatibility rather than simplicity,
> and consider existing "Create Cluster" permission as equivalent to
"Create Any Topics", so that Create Cluster is allowed, skip the specific
Create Topic check.
From the few replies so far, including yours, it seems that having a
composite check like
allowed = "has Create Cluster OR has Create Topic(TopicName) "
is the preferred way to go for backward compatibility.
Though we'd like to plan a deprecation for the Create Cluster check, if
wildcard support in ACLs will be added in the future.
thoughts ?
--------------------------------------------------
Edoardo Comar
IBM Message Hub
IBM UK Ltd, Hursley Park, SO21 2JN
From: "Vahid S Hashemian" <va...@us.ibm.com>
To: dev@kafka.apache.org
Date: 04/04/2018 16:41
Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
API
Hi Edo, Mickael,
The intent of this KIP seems to be rather similar to KIP-231 (Improve the
Required ACL of ListGroups API).
The feedback I received on that KIP was to allow for backward
compatibility, and, as a result, the Describe(Cluster) ACL was preserved;
and a Describe(Group) ACL was introduced.
I am wondering if both KIPs should follow the same principles in that
regard.
Thanks.
--Vahid
From: Edoardo Comar <EC...@uk.ibm.com>
To: dev <de...@kafka.apache.org>
Date: 03/29/2018 06:51 AM
Subject: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
Hi all,
We have submitted KIP-277 to give users permission to manage the lifecycle
of a defined set of topics;
the current ACL checks are for permission to create *any* topic and on
delete for permission against the *named* topics.
https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=
Feedback and suggestions are welcome, thanks.
Edo & Mickael
--------------------------------------------------
Edoardo Comar
IBM Message Hub
IBM UK Ltd, Hursley Park, SO21 2JN
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
Posted by Edoardo Comar <EC...@uk.ibm.com>.
Thanks Vahid,
as described in the rejected section, we wanted to get feedback on the
point :
> An alternative that we want to discuss with the community is to favour
compatibility rather than simplicity,
> and consider existing "Create Cluster" permission as equivalent to
"Create Any Topics", so that Create Cluster is allowed, skip the specific
Create Topic check.
From the few replies so far, including yours, it seems that having a
composite check like
allowed = "has Create Cluster OR has Create Topic(TopicName) "
is the preferred way to go for backward compatibility.
Though we'd like to plan a deprecation for the Create Cluster check, if
wildcard support in ACLs will be added in the future.
thoughts ?
--------------------------------------------------
Edoardo Comar
IBM Message Hub
IBM UK Ltd, Hursley Park, SO21 2JN
From: "Vahid S Hashemian" <va...@us.ibm.com>
To: dev@kafka.apache.org
Date: 04/04/2018 16:41
Subject: Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
API
Hi Edo, Mickael,
The intent of this KIP seems to be rather similar to KIP-231 (Improve the
Required ACL of ListGroups API).
The feedback I received on that KIP was to allow for backward
compatibility, and, as a result, the Describe(Cluster) ACL was preserved;
and a Describe(Group) ACL was introduced.
I am wondering if both KIPs should follow the same principles in that
regard.
Thanks.
--Vahid
From: Edoardo Comar <EC...@uk.ibm.com>
To: dev <de...@kafka.apache.org>
Date: 03/29/2018 06:51 AM
Subject: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
Hi all,
We have submitted KIP-277 to give users permission to manage the lifecycle
of a defined set of topics;
the current ACL checks are for permission to create *any* topic and on
delete for permission against the *named* topics.
https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=
Feedback and suggestions are welcome, thanks.
Edo & Mickael
--------------------------------------------------
Edoardo Comar
IBM Message Hub
IBM UK Ltd, Hursley Park, SO21 2JN
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU