+1 for better access control here. In general, impersonating another user seems like it’s equivalent to super user access.
Colin On Mon, Aug 12, 2019, at 05:43, Manikumar wrote: > Hi Viktor, > > As per the KIP, It's not only superuser, any user with required permissions > (CreateTokens on Cluster Resource), can create the tokens for other users. > Current proposed permissions defined like, "UserA can create tokens for any > user". > I am thinking, can we change the permissions like "UserA can create tokens > for UserB, UserC"? > > Thanks, > > > > > > > On Fri, Aug 9, 2019 at 6:39 PM Viktor Somogyi-Vass <viktorsomo...@gmail.com> > wrote: > > > Hey Manikumar, > > > > Thanks for the feedback. > > I'm not sure I fully grasp the use-case. Would this be a quota? Do we say > > something like "there can be 10 active delegation tokens at a time that is > > created by superuserA for other users"? > > I think such a feature could be useful to limit the responsibility of said > > superuser (and blast radius in case of a faulty/malicious superuser) and > > also to limit potential programming errors. Do you have other use cases > > too? > > > > Thanks, > > Viktor > > > > > > On Tue, Aug 6, 2019 at 1:28 PM Manikumar <manikumar.re...@gmail.com> > > wrote: > > > > > Hi Viktor, > > > > > > Thanks for taking over this KP. > > > > > > Current proposed ACL changes allows users to create tokens for any user. > > > Thinking again about this, admins may want to configure a user to > > > impersonate limited number of other users. > > > This allows us to configure fine-grained permissions. But this requires > > a > > > new resourceType "User". What do you think? > > > > > > > > > Thanks, > > > Manikumar > > > > > > > > > On Wed, Jul 31, 2019 at 2:26 PM Viktor Somogyi-Vass < > > > viktorsomo...@gmail.com> > > > wrote: > > > > > > > Hi Folks, > > > > > > > > I'm starting a vote on this. > > > > > > > > Viktor > > > > > > > > On Thu, Jun 27, 2019 at 12:02 PM Viktor Somogyi-Vass < > > > > viktorsomo...@gmail.com> wrote: > > > > > > > > > Hi Folks, > > > > > > > > > > I took over this issue from Manikumar. Recently another motivation > > have > > > > > been raised in Spark for this (SPARK-28173) and I think it'd be great > > > to > > > > > continue this task. > > > > > I updated the KIP and will wait for a few days to get some feedback > > > then > > > > > proceed for the vote. > > > > > > > > > > Thanks, > > > > > Viktor > > > > > > > > > > On Tue, Dec 11, 2018 at 8:29 AM Manikumar <manikumar.re...@gmail.com > > > > > > > > wrote: > > > > > > > > > >> Hi Harsha, > > > > >> > > > > >> Thanks for the review. > > > > >> > > > > >> With this KIP a designated superuser can create tokens without > > > requiring > > > > >> individual user credentials. > > > > >> Any client can authenticate brokers using the created tokens. We may > > > not > > > > >> call this as impersonation, > > > > >> since the clients API calls are executing on their own authenticated > > > > >> connections. > > > > >> > > > > >> Thanks, > > > > >> Manikumar > > > > >> > > > > >> On Fri, Dec 7, 2018 at 11:56 PM Harsha <ka...@harsha.io> wrote: > > > > >> > > > > >> > Hi Mani, > > > > >> > Overall KIP looks good to me. Can we call this > > > > >> Impersonation > > > > >> > support, which is what the KIP is doing? > > > > >> > Also instead of using super.uses as the config which essentially > > > > giving > > > > >> > cluster-wide support to the users, we can introduce > > > > impersonation.users > > > > >> as > > > > >> > a config and users listed in the config are allowed to impersonate > > > > other > > > > >> > users. > > > > >> > > > > > >> > Thanks, > > > > >> > Harsha > > > > >> > > > > > >> > > > > > >> > On Fri, Dec 7, 2018, at 3:58 AM, Manikumar wrote: > > > > >> > > Bump up! to get some attention. > > > > >> > > > > > > >> > > BTW, recently Apache Spark added support for Kafka delegation > > > > token. > > > > >> > > https://issues.apache.org/jira/browse/SPARK-25501 > > > > >> > > > > > > >> > > On Fri, Dec 7, 2018 at 5:27 PM Manikumar < > > > manikumar.re...@gmail.com > > > > > > > > > >> > wrote: > > > > >> > > > > > > >> > > > Bump up! to get some attention. > > > > >> > > > > > > > >> > > > BTW, recently Apache Spark added for Kafka delegation token > > > > support. > > > > >> > > > https://issues.apache.org/jira/browse/SPARK-25501 > > > > >> > > > > > > > >> > > > On Tue, Sep 25, 2018 at 9:56 PM Manikumar < > > > > >> manikumar.re...@gmail.com> > > > > >> > > > wrote: > > > > >> > > > > > > > >> > > >> Hi all, > > > > >> > > >> > > > > >> > > >> I have created a KIP that proposes to allow users to create > > > > >> delegation > > > > >> > > >> tokens for other users. > > > > >> > > >> > > > > >> > > >> > > > > >> > > >> > > > > >> > > > > > >> > > > > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-373%3A+Allow+users+to+create+delegation+tokens+for+other+users > > > > >> > > >> > > > > >> > > >> Please take a look when you get a chance. > > > > >> > > >> > > > > >> > > >> Thanks, > > > > >> > > >> Manikumar > > > > >> > > >> > > > > >> > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >
