Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API

[Vahid S Hashemian <va...@us.ibm.com>]

Hi Edo, Mickael,

The intent of this KIP seems to be rather similar to KIP-231 (Improve the 
Required ACL of ListGroups API).
The feedback I received on that KIP was to allow for backward 
compatibility, and, as a result, the Describe(Cluster) ACL was preserved; 
and a Describe(Group) ACL was introduced.
I am wondering if both KIPs should follow the same principles in that 
regard.

Thanks.
--Vahid



From:   Edoardo Comar <EC...@uk.ibm.com>
To:     dev <de...@kafka.apache.org>
Date:   03/29/2018 06:51 AM
Subject:        [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API



Hi all,

We have submitted KIP-277 to give users permission to manage the lifecycle 

of a defined set of topics;
the current ACL checks are for permission to create *any* topic and on 
delete for permission against the *named* topics.

https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=


Feedback and suggestions are welcome, thanks.

Edo & Mickael
--------------------------------------------------

Edoardo Comar

IBM Message Hub

IBM UK Ltd, Hursley Park, SO21 2JN
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API

[Edoardo Comar <ed...@gmail.com>]

While the vote is still in progress on the [VOTE] thread, (still needing an
extra binding one :-)
we have updated the PR to reflect the current KIP and noted that the check
is performed on two distinct code paths: auto-creation and explicit
creation of a topic.

Edo

On 17 April 2018 at 18:30, Vahid S Hashemian <va...@us.ibm.com>
wrote:

> Hi Edo,
>
> Thanks for addressing that concern in the KIP.
> And I agree that in the long run the create cluster permission should be
> deprecated.
>
> --Vahid
>
>
>
>
> From:   Edoardo Comar <EC...@uk.ibm.com>
> To:     dev@kafka.apache.org
> Date:   04/17/2018 03:52 AM
> Subject:        Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
> API
>
>
>
> Thanks Vahid,
>
> as described in the rejected section, we wanted to get feedback on the
> point :
> > An alternative that we want to discuss with the community is to favour
> compatibility rather than simplicity,
> > and consider existing "Create Cluster" permission as equivalent to
> "Create Any Topics", so that Create Cluster is allowed, skip the specific
> Create Topic check.
>
> From the few replies so far, including yours, it seems that having a
> composite check like
> allowed = "has Create Cluster OR has Create Topic(TopicName) "
>
> is the preferred way to go for backward compatibility.
>
> Though we'd like to plan a deprecation for the Create Cluster check, if
> wildcard support in ACLs will be added in the future.
>
> thoughts ?
>
> --------------------------------------------------
>
> Edoardo Comar
>
> IBM Message Hub
>
> IBM UK Ltd, Hursley Park, SO21 2JN
>
>
>
> From:   "Vahid S Hashemian" <va...@us.ibm.com>
> To:     dev@kafka.apache.org
> Date:   04/04/2018 16:41
> Subject:        Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics
> API
>
>
>
> Hi Edo, Mickael,
>
> The intent of this KIP seems to be rather similar to KIP-231 (Improve the
> Required ACL of ListGroups API).
> The feedback I received on that KIP was to allow for backward
> compatibility, and, as a result, the Describe(Cluster) ACL was preserved;
> and a Describe(Group) ACL was introduced.
> I am wondering if both KIPs should follow the same principles in that
> regard.
>
> Thanks.
> --Vahid
>
>
>
> From:   Edoardo Comar <EC...@uk.ibm.com>
> To:     dev <de...@kafka.apache.org>
> Date:   03/29/2018 06:51 AM
> Subject:        [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API
>
>
>
> Hi all,
>
> We have submitted KIP-277 to give users permission to manage the lifecycle
>
>
>
> of a defined set of topics;
> the current ACL checks are for permission to create *any* topic and on
> delete for permission against the *named* topics.
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.
> apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-
> 2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&
> c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-
> kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=
> DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=
>
>
>
>
> Feedback and suggestions are welcome, thanks.
>
> Edo & Mickael
> --------------------------------------------------
>
> Edoardo Comar
>
> IBM Message Hub
>
> IBM UK Ltd, Hursley Park, SO21 2JN
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
>
>
>
>
>
>
> Unless stated otherwise above:
> IBM United Kingdom Limited - Registered in England and Wales with number
> 741598.
> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
>
>
>
>
>


-- 
"When the people fear their government, there is tyranny; when the
government fears the people, there is liberty." [Thomas Jefferson]

Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API

[Vahid S Hashemian <va...@us.ibm.com>]

Hi Edo,

Thanks for addressing that concern in the KIP.
And I agree that in the long run the create cluster permission should be 
deprecated.

--Vahid




From:   Edoardo Comar <EC...@uk.ibm.com>
To:     dev@kafka.apache.org
Date:   04/17/2018 03:52 AM
Subject:        Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics 
API



Thanks Vahid,

as described in the rejected section, we wanted to get feedback on the 
point :
> An alternative that we want to discuss with the community is to favour 
compatibility rather than simplicity,
> and consider existing "Create Cluster" permission as equivalent to 
"Create Any Topics", so that Create Cluster is allowed, skip the specific 
Create Topic check.

From the few replies so far, including yours, it seems that having a 
composite check like
allowed = "has Create Cluster OR has Create Topic(TopicName) " 

is the preferred way to go for backward compatibility. 

Though we'd like to plan a deprecation for the Create Cluster check, if 
wildcard support in ACLs will be added in the future.

thoughts ?

--------------------------------------------------

Edoardo Comar

IBM Message Hub

IBM UK Ltd, Hursley Park, SO21 2JN



From:   "Vahid S Hashemian" <va...@us.ibm.com>
To:     dev@kafka.apache.org
Date:   04/04/2018 16:41
Subject:        Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics 
API



Hi Edo, Mickael,

The intent of this KIP seems to be rather similar to KIP-231 (Improve the 
Required ACL of ListGroups API).
The feedback I received on that KIP was to allow for backward 
compatibility, and, as a result, the Describe(Cluster) ACL was preserved; 
and a Describe(Group) ACL was introduced.
I am wondering if both KIPs should follow the same principles in that 
regard.

Thanks.
--Vahid



From:   Edoardo Comar <EC...@uk.ibm.com>
To:     dev <de...@kafka.apache.org>
Date:   03/29/2018 06:51 AM
Subject:        [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API



Hi all,

We have submitted KIP-277 to give users permission to manage the lifecycle 



of a defined set of topics;
the current ACL checks are for permission to create *any* topic and on 
delete for permission against the *named* topics.

https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=




Feedback and suggestions are welcome, thanks.

Edo & Mickael
--------------------------------------------------

Edoardo Comar

IBM Message Hub

IBM UK Ltd, Hursley Park, SO21 2JN
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU







Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU

Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API

[Edoardo Comar <EC...@uk.ibm.com>]

Thanks Vahid,

as described in the rejected section, we wanted to get feedback on the 
point :
> An alternative that we want to discuss with the community is to favour 
compatibility rather than simplicity,
> and consider existing "Create Cluster" permission as equivalent to 
"Create Any Topics", so that Create Cluster is allowed, skip the specific 
Create Topic check.

From the few replies so far, including yours, it seems that having a 
composite check like
allowed = "has Create Cluster OR has Create Topic(TopicName) " 

is the preferred way to go for backward compatibility. 

Though we'd like to plan a deprecation for the Create Cluster check, if 
wildcard support in ACLs will be added in the future.

thoughts ?

--------------------------------------------------

Edoardo Comar

IBM Message Hub

IBM UK Ltd, Hursley Park, SO21 2JN



From:   "Vahid S Hashemian" <va...@us.ibm.com>
To:     dev@kafka.apache.org
Date:   04/04/2018 16:41
Subject:        Re: [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics 
API



Hi Edo, Mickael,

The intent of this KIP seems to be rather similar to KIP-231 (Improve the 
Required ACL of ListGroups API).
The feedback I received on that KIP was to allow for backward 
compatibility, and, as a result, the Describe(Cluster) ACL was preserved; 
and a Describe(Group) ACL was introduced.
I am wondering if both KIPs should follow the same principles in that 
regard.

Thanks.
--Vahid



From:   Edoardo Comar <EC...@uk.ibm.com>
To:     dev <de...@kafka.apache.org>
Date:   03/29/2018 06:51 AM
Subject:        [DISCUSS] KIP-277 - Fine Grained ACL for CreateTopics API



Hi all,

We have submitted KIP-277 to give users permission to manage the lifecycle 


of a defined set of topics;
the current ACL checks are for permission to create *any* topic and on 
delete for permission against the *named* topics.

https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D277-2B-2D-2BFine-2BGrained-2BACL-2Bfor-2BCreateTopics-2BAPI&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJc7uSVcviKUc&m=fFqzioVsBbv-HQSz8mOPYfz25CJAudbGSgJ3JItDVeE&s=DzzeKHrh6r3G5Elm179qbdDLf9OC6e67zqR7d4vnre0&e=



Feedback and suggestions are welcome, thanks.

Edo & Mickael
--------------------------------------------------

Edoardo Comar

IBM Message Hub

IBM UK Ltd, Hursley Park, SO21 2JN
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU







Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 
741598. 
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU