You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by Vahid S Hashemian <va...@us.ibm.com> on 2017/07/10 20:12:59 UTC
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of
OffsetFetch
I'm bumping this up again to get some feedback, especially from some of
the committers, on the KIP and on the note below.
Thanks.
--Vahid
From: "Vahid S Hashemian" <va...@us.ibm.com>
To: dev@kafka.apache.org
Cc: "Kafka User" <us...@kafka.apache.org>
Date: 06/21/2017 12:49 PM
Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL
Permission of OffsetFetch
I appreciate everyone's feedback so far on this KIP.
Before starting a vote, I'd like to also ask for feedback on the
"Additional Food for Thought" section in the KIP:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163:LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought
I just added some more details in that section, which I hope further
clarifies the suggestion there.
Thanks.
--Vahid
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of
OffsetFetch
Posted by Vahid S Hashemian <va...@us.ibm.com>.
Hi Ewen,
Thanks for reviewing the KIP.
Your comment about the "food for thought" section makes sense. It seems
like a bug to me, not sure how you and others feel about it. I'll remove
it for now, and open a separate JIRA for it, so we have a record of it.
The read vs. write discussion and fixing the confusion seems to be an even
bigger task, and will be addressed in its own KIP, if necessary.
The KIP will be updated shortly.
Thanks again.
--Vahid
From: Ewen Cheslack-Postava <ew...@confluent.io>
To: dev@kafka.apache.org
Cc: Kafka User <us...@kafka.apache.org>
Date: 07/24/2017 10:36 AM
Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL
Permission of OffsetFetch
Vahid,
Thanks for the KIP. I think we're mostly in violent agreement that the
lack
of any Write permissions on consumer groups is confusing. Unfortunately
it's a pretty annoying issue to fix since it would require an increase in
permissions. More generally, I think it's unfortunate because by squeezing
all permissions into the lowest two levels, we have no room for
refinement,
e.g. if we realize some permission needs to have a lower level of access
but higher than Describe, without adding new levels.
I'm +1 on the KIP. I don't think it's ideal given the discussion of Read
vs
Write since I think Read is the correct permission in theory, but given
where we are now it makes sense.
Regarding the extra food for thought, I think such a change would require
some plan for how to migrate people over to it. The main proposal in the
KIP works without any migration plan because it is reducing the required
permissions, but changing the requirement for listing a group to Describe
(Group) would be adding/changing the requirements, which would be
backwards
incompatible. I'd be open to doing it, but it'd require some thought about
how it would impact users and how we'd migrate them to the updated rule
(or
just agree that it is a bug and that including upgrade notes would be
sufficient).
-Ewen
On Mon, Jul 10, 2017 at 1:12 PM, Vahid S Hashemian <
vahidhashemian@us.ibm.com> wrote:
> I'm bumping this up again to get some feedback, especially from some of
> the committers, on the KIP and on the note below.
>
> Thanks.
> --Vahid
>
>
>
>
> From: "Vahid S Hashemian" <va...@us.ibm.com>
> To: dev@kafka.apache.org
> Cc: "Kafka User" <us...@kafka.apache.org>
> Date: 06/21/2017 12:49 PM
> Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL
> Permission of OffsetFetch
>
>
>
> I appreciate everyone's feedback so far on this KIP.
>
> Before starting a vote, I'd like to also ask for feedback on the
> "Additional Food for Thought" section in the KIP:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163:
>
LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought
>
> I just added some more details in that section, which I hope further
> clarifies the suggestion there.
>
> Thanks.
> --Vahid
>
>
>
>
>
>
>
>
>
>
>
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of
OffsetFetch
Posted by Vahid S Hashemian <va...@us.ibm.com>.
Hi Ewen,
Thanks for reviewing the KIP.
Your comment about the "food for thought" section makes sense. It seems
like a bug to me, not sure how you and others feel about it. I'll remove
it for now, and open a separate JIRA for it, so we have a record of it.
The read vs. write discussion and fixing the confusion seems to be an even
bigger task, and will be addressed in its own KIP, if necessary.
The KIP will be updated shortly.
Thanks again.
--Vahid
From: Ewen Cheslack-Postava <ew...@confluent.io>
To: dev@kafka.apache.org
Cc: Kafka User <us...@kafka.apache.org>
Date: 07/24/2017 10:36 AM
Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL
Permission of OffsetFetch
Vahid,
Thanks for the KIP. I think we're mostly in violent agreement that the
lack
of any Write permissions on consumer groups is confusing. Unfortunately
it's a pretty annoying issue to fix since it would require an increase in
permissions. More generally, I think it's unfortunate because by squeezing
all permissions into the lowest two levels, we have no room for
refinement,
e.g. if we realize some permission needs to have a lower level of access
but higher than Describe, without adding new levels.
I'm +1 on the KIP. I don't think it's ideal given the discussion of Read
vs
Write since I think Read is the correct permission in theory, but given
where we are now it makes sense.
Regarding the extra food for thought, I think such a change would require
some plan for how to migrate people over to it. The main proposal in the
KIP works without any migration plan because it is reducing the required
permissions, but changing the requirement for listing a group to Describe
(Group) would be adding/changing the requirements, which would be
backwards
incompatible. I'd be open to doing it, but it'd require some thought about
how it would impact users and how we'd migrate them to the updated rule
(or
just agree that it is a bug and that including upgrade notes would be
sufficient).
-Ewen
On Mon, Jul 10, 2017 at 1:12 PM, Vahid S Hashemian <
vahidhashemian@us.ibm.com> wrote:
> I'm bumping this up again to get some feedback, especially from some of
> the committers, on the KIP and on the note below.
>
> Thanks.
> --Vahid
>
>
>
>
> From: "Vahid S Hashemian" <va...@us.ibm.com>
> To: dev@kafka.apache.org
> Cc: "Kafka User" <us...@kafka.apache.org>
> Date: 06/21/2017 12:49 PM
> Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL
> Permission of OffsetFetch
>
>
>
> I appreciate everyone's feedback so far on this KIP.
>
> Before starting a vote, I'd like to also ask for feedback on the
> "Additional Food for Thought" section in the KIP:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163:
>
LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought
>
> I just added some more details in that section, which I hope further
> clarifies the suggestion there.
>
> Thanks.
> --Vahid
>
>
>
>
>
>
>
>
>
>
>
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Posted by Ewen Cheslack-Postava <ew...@confluent.io>.
Vahid,
Thanks for the KIP. I think we're mostly in violent agreement that the lack
of any Write permissions on consumer groups is confusing. Unfortunately
it's a pretty annoying issue to fix since it would require an increase in
permissions. More generally, I think it's unfortunate because by squeezing
all permissions into the lowest two levels, we have no room for refinement,
e.g. if we realize some permission needs to have a lower level of access
but higher than Describe, without adding new levels.
I'm +1 on the KIP. I don't think it's ideal given the discussion of Read vs
Write since I think Read is the correct permission in theory, but given
where we are now it makes sense.
Regarding the extra food for thought, I think such a change would require
some plan for how to migrate people over to it. The main proposal in the
KIP works without any migration plan because it is reducing the required
permissions, but changing the requirement for listing a group to Describe
(Group) would be adding/changing the requirements, which would be backwards
incompatible. I'd be open to doing it, but it'd require some thought about
how it would impact users and how we'd migrate them to the updated rule (or
just agree that it is a bug and that including upgrade notes would be
sufficient).
-Ewen
On Mon, Jul 10, 2017 at 1:12 PM, Vahid S Hashemian <
vahidhashemian@us.ibm.com> wrote:
> I'm bumping this up again to get some feedback, especially from some of
> the committers, on the KIP and on the note below.
>
> Thanks.
> --Vahid
>
>
>
>
> From: "Vahid S Hashemian" <va...@us.ibm.com>
> To: dev@kafka.apache.org
> Cc: "Kafka User" <us...@kafka.apache.org>
> Date: 06/21/2017 12:49 PM
> Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL
> Permission of OffsetFetch
>
>
>
> I appreciate everyone's feedback so far on this KIP.
>
> Before starting a vote, I'd like to also ask for feedback on the
> "Additional Food for Thought" section in the KIP:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163:
> LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought
>
> I just added some more details in that section, which I hope further
> clarifies the suggestion there.
>
> Thanks.
> --Vahid
>
>
>
>
>
>
>
>
>
>
>
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Posted by Ewen Cheslack-Postava <ew...@confluent.io>.
Vahid,
Thanks for the KIP. I think we're mostly in violent agreement that the lack
of any Write permissions on consumer groups is confusing. Unfortunately
it's a pretty annoying issue to fix since it would require an increase in
permissions. More generally, I think it's unfortunate because by squeezing
all permissions into the lowest two levels, we have no room for refinement,
e.g. if we realize some permission needs to have a lower level of access
but higher than Describe, without adding new levels.
I'm +1 on the KIP. I don't think it's ideal given the discussion of Read vs
Write since I think Read is the correct permission in theory, but given
where we are now it makes sense.
Regarding the extra food for thought, I think such a change would require
some plan for how to migrate people over to it. The main proposal in the
KIP works without any migration plan because it is reducing the required
permissions, but changing the requirement for listing a group to Describe
(Group) would be adding/changing the requirements, which would be backwards
incompatible. I'd be open to doing it, but it'd require some thought about
how it would impact users and how we'd migrate them to the updated rule (or
just agree that it is a bug and that including upgrade notes would be
sufficient).
-Ewen
On Mon, Jul 10, 2017 at 1:12 PM, Vahid S Hashemian <
vahidhashemian@us.ibm.com> wrote:
> I'm bumping this up again to get some feedback, especially from some of
> the committers, on the KIP and on the note below.
>
> Thanks.
> --Vahid
>
>
>
>
> From: "Vahid S Hashemian" <va...@us.ibm.com>
> To: dev@kafka.apache.org
> Cc: "Kafka User" <us...@kafka.apache.org>
> Date: 06/21/2017 12:49 PM
> Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL
> Permission of OffsetFetch
>
>
>
> I appreciate everyone's feedback so far on this KIP.
>
> Before starting a vote, I'd like to also ask for feedback on the
> "Additional Food for Thought" section in the KIP:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> 163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163:
> LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought
>
> I just added some more details in that section, which I hope further
> clarifies the suggestion there.
>
> Thanks.
> --Vahid
>
>
>
>
>
>
>
>
>
>
>