Hi Andrew, Sorry for the late reply and thanks for the feedback!
The original motivation behind this KIP is based on KAFKA-20144: that users who only have DESCRIBE on the cluster, but not DESCRIBE_CONFIGS were hitting the issue described in KAFKA-20111. And thanks for your fix and for proposing KAFKA-20144 to address this. That said, Chia-Ping and I found that handling both DESCRIBE and DESCRIBE_CONFIGS privileges in handleListConfigResources gets messy which is exactly why we proposed replacing DESCRIBE_CONFIGS with DESCRIBE there, to simplify the logic. If we revert to DESCRIBE_CONFIGS, we're essentially keeping the current implementation as-is - which, from my perspective, doesn't address the user experience problem that motivated KAFKA-20144 in the first place. Best, Kuan-Po Tseng On 2026/04/13 16:49:51 Andrew Schofield wrote: > Hi Kuan-Po Tseng, > This is probably going to be a tricky KIP. Trying to resolve historical > behaviour is always painful. > > I think the key here is to realise that this KIP is for listing the resources > which have configuration, and that's not the same as listing the resources. > The user is going to need DESCRIBE_CONFIGS on the specific topics and groups > in order to discover the configuration values themselves, so if this RPC > requires the same permission in order to list the resources for which they > can describe the configs, that seems OK to me. > > In KIP-1000, we require DESCRIBE_CONFIGS on the CLUSTER to find a list of the > client-metrics configs. > > In KIP-1142, there was no change and it's necessary to have DESCRIBE_CONFIGS > on the CLUSTER to list the resources of all supported types. > > If you look at the ListGroups RPC, the user can list all groups if they have > DESCRIBE on the CLUSTER. If they do not, they can only see the groups for > which they have DESCRIBE on the GROUP. > > For this KIP, why couldn't we do a similar thing? If the user has > DESCRIBE_CONFIGS on the CLUSTER, they can see all of the resources which have > configs. If they do not, they can only see the resources for which they have > specific DESCRIBE_CONFIGS. > > Thanks, > Andrew > > On 2026/04/06 15:28:17 Chia-Ping Tsai wrote: > > hi Viquar > > > > Thanks for updating the KIP numbers. This helps keep things organized. > > > > Best, > > Chia-Ping > > > > On 2026/04/06 05:53:06 vaquar khan wrote: > > > Hi Chia-Ping , > > > > > > As discussed I have updated my KIP with 1316 and 1317. > > > > > > Regards, > > > Viquar Khan > > > > > > On Mon, 6 Apr 2026 at 00:32, Chia-Ping Tsai <[email protected]> wrote: > > > > > > > hi Viquar > > > > > > > > > It is each owner’s responsibility to ensure their KIP number does not > > > > override an existing one. > > > > > > > > Just a gentle reminder that the process mentions we should "Update the > > > > next > > > > available KIP number below". You can find the details here: > > > > > > > > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=50859233#KafkaImprovementProposals-Process > > > > > > > > It is totally fine to have an occasional conflict with one KIP. > > > > However, it > > > > seems several KIPs were created without incrementing the number, which > > > > has > > > > unfortunately caused conflicts for several other contributors. > > > > > > > > Would you mind updating your KIP numbers instead? If you have any > > > > questions > > > > or concerns, please let me know. > > > > > > > > Best, > > > > Chia-Ping > > > > > > > > vaquar khan <[email protected]> 於 2026年4月6日週一 下午12:49寫道: > > > > > > > > > Hi Kaun, > > > > > > > > > > Please search(search box) the current KIP list to verify that your > > > > > assigned number does not already exist. If you find a conflict, check > > > > > the > > > > > creation dates; if your KIP was created later, please update it to a > > > > > unique, available number. > > > > > > > > > > It is each owner’s responsibility to ensure their KIP number does not > > > > > override an existing one. > > > > > > > > > > > > > > > Regards, > > > > > > > > > > Viquar Khan > > > > > > > > > > > > > > > On Sun, Apr 5, 2026, 11:24 PM Chia-Ping Tsai <[email protected]> > > > > > wrote: > > > > > > > > > > > hi all, > > > > > > > > > > > > Just a gentle reminder: please remember to increment the "Next KIP > > > > > Number" > > > > > > after taking a number. This will help avoid potential conflicts. > > > > > > > > > > > > Best, > > > > > > Chia-Ping > > > > > > > > > > > > Kuan-Po Tseng <[email protected]> 於 2026年4月6日週一 下午12:18寫道: > > > > > > > > > > > > > Hi Vaquar — I checked the Kafka Improvement Proposals > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals > > > > > > > > > > > > > > > page and don't see another KIP using 1298. > > > > > > > Could you pick the next available KIP number and update > > > > > > > accordingly? > > > > > > > > > > > > > > On Mon, Apr 6, 2026 at 12:10 PM vaquar khan > > > > > > > <[email protected]> > > > > > > wrote: > > > > > > > > > > > > > > > Could you please correct Kip 1298 , we already have same no , I > > > > > created > > > > > > > few > > > > > > > > weeks back. > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > Viquar Kha > > > > > > > > > > > > > > > > On Sun, Apr 5, 2026, 10:34 PM Kuan Po Tseng > > > > > > > > <[email protected]> > > > > > > > wrote: > > > > > > > > > > > > > > > > > Thanks again for the input! > > > > > > > > > > > > > > > > > > chia_01: Sure, we can add a debug message on the server side > > > > > > > > > when > > > > > > > > response > > > > > > > > > is empty and using v2 with only DESCRIBE_CONFIGS on CLUSTER > > > > > > > > > and > > > > > > > DESCRIBE > > > > > > > > on > > > > > > > > > CLUSTER not set. Additionally, I think it would be helpful to > > > > add a > > > > > > > > warning > > > > > > > > > message in ConfigCommand when the LIST_CONFIG_RESOURCE API > > > > response > > > > > > is > > > > > > > > > empty, to let users know they may need to update their ACL. > > > > > > > > > > > > > > > > > > On 2026/04/05 08:55:06 Chia-Ping Tsai wrote: > > > > > > > > > > chia_01: Regarding the migration plan, I have a concern > > > > > > > > > > about > > > > > > > potential > > > > > > > > > user confusion. Since clients using v2 with only > > > > > > > > > DESCRIBE_CONFIGS > > > > > > will > > > > > > > > > receive an empty response rather than an authorization error, > > > > this > > > > > > > silent > > > > > > > > > failure might be very hard to debug. Should we consider > > > > > > > > > logging a > > > > > > > warning > > > > > > > > > message in this specific scenario to help users identify the > > > > > missing > > > > > > > > > DESCRIBE ACL? > > > > > > > > > > > > > > > > > > > > On 2026/04/05 03:48:16 Kuan-Po Tseng wrote: > > > > > > > > > > > Thanks for the feedback, Chia-Ping! > > > > > > > > > > > > > > > > > > > > > > chia_00: That's a fair point. I'm a bit hesitant to handle > > > > > > > > > DESCRIBE_CONFIGS > > > > > > > > > > > in handleTopicMetadataRequest and handleListGroupsRequest, > > > > > > > > > > > since those APIs return more than just names. Exposing > > > > > > topic/group > > > > > > > > > names > > > > > > > > > > > based on a config-oriented permission feels semantically > > > > > > > misaligned, > > > > > > > > > > > and I'm not sure it adds much value. > > > > > > > > > > > Another approach worth considering: we could bump the API > > > > > version > > > > > > > of > > > > > > > > > > > LIST_CONFIG_RESOURCES and switch to DESCRIBE instead of > > > > > > > > > > > DESCRIBE_CONFIGS, aligning it with other resource-related > > > > APIs. > > > > > > > > > > > > > > > > > > > > > > I’ll update the KIP later, and would love to hear others' > > > > > > thoughts > > > > > > > on > > > > > > > > > this! > > > > > > > > > > > > > > > > > > > > > > On Sun, Apr 5, 2026 at 12:52 AM Chia-Ping Tsai < > > > > > > > [email protected]> > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > chia_00: For the sake of consistency, if we permit > > > > > > > DESCRIBE_CONFIGS > > > > > > > > > to > > > > > > > > > > > > expose topic and group names in LIST_CONFIG_RESOURCES, > > > > should > > > > > > we > > > > > > > > > also align > > > > > > > > > > > > handleTopicMetadataRequest and handleListGroupsRequest? > > > > > > > Currently, > > > > > > > > > they > > > > > > > > > > > > strictly require DESCRIBE. > > > > > > > > > > > > > > > > > > > > > > > > On 2026/04/04 16:40:08 Kuan-Po Tseng wrote: > > > > > > > > > > > > > Hello everyone, > > > > > > > > > > > > > > > > > > > > > > > > > > I would like to start a discussion thread on KIP-1298 > > > > which > > > > > > > fixes > > > > > > > > > an > > > > > > > > > > > > > authorization inconsistency in LIST_CONFIG_RESOURCES. > > > > Today > > > > > > the > > > > > > > > RPC > > > > > > > > > > > > > requires DESCRIBE_CONFIGS on CLUSTER for all resource > > > > > types, > > > > > > > > which > > > > > > > > > is > > > > > > > > > > > > > stricter than comparable RPCs like LIST_GROUPS and > > > > > METADATA. > > > > > > > The > > > > > > > > > > > > practical > > > > > > > > > > > > > impact is that `kafka-configs.sh --describe > > > > > > > > > > > > > --entity-type > > > > > > > groups` > > > > > > > > > > > > silently > > > > > > > > > > > > > returns incomplete results for users holding DESCRIBE > > > > > > > > > > > > > but > > > > > not > > > > > > > > > > > > > DESCRIBE_CONFIGS on CLUSTER. > > > > > > > > > > > > > > > > > > > > > > > > > > More details, please check > > > > > > > > > > > > > https://cwiki.apache.org/confluence/x/ZJI8G > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > Kuan-Po Tseng > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
