Hi Viktor, As per the KIP, It's not only superuser, any user with required permissions (CreateTokens on Cluster Resource), can create the tokens for other users. Current proposed permissions defined like, "UserA can create tokens for any user". I am thinking, can we change the permissions like "UserA can create tokens for UserB, UserC"?
Thanks, On Fri, Aug 9, 2019 at 6:39 PM Viktor Somogyi-Vass <viktorsomo...@gmail.com> wrote: > Hey Manikumar, > > Thanks for the feedback. > I'm not sure I fully grasp the use-case. Would this be a quota? Do we say > something like "there can be 10 active delegation tokens at a time that is > created by superuserA for other users"? > I think such a feature could be useful to limit the responsibility of said > superuser (and blast radius in case of a faulty/malicious superuser) and > also to limit potential programming errors. Do you have other use cases > too? > > Thanks, > Viktor > > > On Tue, Aug 6, 2019 at 1:28 PM Manikumar <manikumar.re...@gmail.com> > wrote: > > > Hi Viktor, > > > > Thanks for taking over this KP. > > > > Current proposed ACL changes allows users to create tokens for any user. > > Thinking again about this, admins may want to configure a user to > > impersonate limited number of other users. > > This allows us to configure fine-grained permissions. But this requires > a > > new resourceType "User". What do you think? > > > > > > Thanks, > > Manikumar > > > > > > On Wed, Jul 31, 2019 at 2:26 PM Viktor Somogyi-Vass < > > viktorsomo...@gmail.com> > > wrote: > > > > > Hi Folks, > > > > > > I'm starting a vote on this. > > > > > > Viktor > > > > > > On Thu, Jun 27, 2019 at 12:02 PM Viktor Somogyi-Vass < > > > viktorsomo...@gmail.com> wrote: > > > > > > > Hi Folks, > > > > > > > > I took over this issue from Manikumar. Recently another motivation > have > > > > been raised in Spark for this (SPARK-28173) and I think it'd be great > > to > > > > continue this task. > > > > I updated the KIP and will wait for a few days to get some feedback > > then > > > > proceed for the vote. > > > > > > > > Thanks, > > > > Viktor > > > > > > > > On Tue, Dec 11, 2018 at 8:29 AM Manikumar <manikumar.re...@gmail.com > > > > > > wrote: > > > > > > > >> Hi Harsha, > > > >> > > > >> Thanks for the review. > > > >> > > > >> With this KIP a designated superuser can create tokens without > > requiring > > > >> individual user credentials. > > > >> Any client can authenticate brokers using the created tokens. We may > > not > > > >> call this as impersonation, > > > >> since the clients API calls are executing on their own authenticated > > > >> connections. > > > >> > > > >> Thanks, > > > >> Manikumar > > > >> > > > >> On Fri, Dec 7, 2018 at 11:56 PM Harsha <ka...@harsha.io> wrote: > > > >> > > > >> > Hi Mani, > > > >> > Overall KIP looks good to me. Can we call this > > > >> Impersonation > > > >> > support, which is what the KIP is doing? > > > >> > Also instead of using super.uses as the config which essentially > > > giving > > > >> > cluster-wide support to the users, we can introduce > > > impersonation.users > > > >> as > > > >> > a config and users listed in the config are allowed to impersonate > > > other > > > >> > users. > > > >> > > > > >> > Thanks, > > > >> > Harsha > > > >> > > > > >> > > > > >> > On Fri, Dec 7, 2018, at 3:58 AM, Manikumar wrote: > > > >> > > Bump up! to get some attention. > > > >> > > > > > >> > > BTW, recently Apache Spark added support for Kafka delegation > > > token. > > > >> > > https://issues.apache.org/jira/browse/SPARK-25501 > > > >> > > > > > >> > > On Fri, Dec 7, 2018 at 5:27 PM Manikumar < > > manikumar.re...@gmail.com > > > > > > > >> > wrote: > > > >> > > > > > >> > > > Bump up! to get some attention. > > > >> > > > > > > >> > > > BTW, recently Apache Spark added for Kafka delegation token > > > support. > > > >> > > > https://issues.apache.org/jira/browse/SPARK-25501 > > > >> > > > > > > >> > > > On Tue, Sep 25, 2018 at 9:56 PM Manikumar < > > > >> manikumar.re...@gmail.com> > > > >> > > > wrote: > > > >> > > > > > > >> > > >> Hi all, > > > >> > > >> > > > >> > > >> I have created a KIP that proposes to allow users to create > > > >> delegation > > > >> > > >> tokens for other users. > > > >> > > >> > > > >> > > >> > > > >> > > >> > > > >> > > > > >> > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-373%3A+Allow+users+to+create+delegation+tokens+for+other+users > > > >> > > >> > > > >> > > >> Please take a look when you get a chance. > > > >> > > >> > > > >> > > >> Thanks, > > > >> > > >> Manikumar > > > >> > > >> > > > >> > > > > > > >> > > > > >> > > > > > > > > > >
