Hello, I'd like to propose a suggestion to our resource patterns in Kafka ACLs.
Currently, when adding new ACLs in Kafka, we have two types of resource patterns for topics: - LITERAL - PREFIXED However, when it comes to listing or removing ACLs, we have a couple more options: - MATCH - ANY (will match any pattern type) If we can extend creating acls as well with 'MATCH' pattern type, it would be very beneficial. Even though this kind of acl should be created with utmost care, it will help organizations streamline their ACL management processes. Example scenarios : Let's say we need to create ACLs for the following six topics: nl-accounts-localtopic, nl-accounts-remotetopic, de-accounts-localtopic, de-accounts-remotetopic, cz-accounts-localtopic, cz-accounts-remotetopic Currently, we achieve this using existing functionality by creating three prefixed ACLs as shown below: kafka-acls --bootstrap-server localhost:9092 \ > --add \ > --allow-principal > User:CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown > \ > --producer \ > --topic nl-accounts- \ > --resource-pattern-type prefixed kafka-acls --bootstrap-server localhost:9092 \ > --add \ > --allow-principal > User:CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown > \ > --producer \ > --topic de-accounts- \ > --resource-pattern-type prefixed kafka-acls --bootstrap-server localhost:9092 \ > --add \ > --allow-principal > User:CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown > \ > --producer \ > --topic cz-accounts- \ > --resource-pattern-type prefixed However, if we had the 'MATCH' pattern type available, we could accomplish this with a single ACL, as illustrated here: kafka-acls --bootstrap-server localhost:9092 \ > --add \ > --allow-principal > User:CN=serviceuser,OU=ServiceUsers,O=Unknown,L=Unknown,ST=Unknown,C=Unknown > \ > --producer \ > --topic *-accounts-* \ > --resource-pattern-type match This pattern closely resembles PREFIXED but offers broader allow/deny rules. Implementing this change could significantly reduce the effort in several acl management processes. I welcome your thoughts and any concerns you may have regarding this proposal. Thanks, Murali
