hi Kuan-Po To me, the simplest fix for now is to strictly redefine the behavior of listConfigResources so that it only returns resource names that actually have custom configs. This makes the DESCRIBE_CONFIGS requirement logically sound. In short, I'm not strictly bound to pushing for the DESCRIBE permission, as long as the API's behavior aligns with the permission semantics
Kuan Po Tseng <[email protected]> 於 2026年4月19日週日 下午11:39寫道: > Hi Andrew, > > Sorry for the late reply and thanks for the feedback! > > The original motivation behind this KIP is based on KAFKA-20144: that > users who only have DESCRIBE on the cluster, but not DESCRIBE_CONFIGS were > hitting the issue described in KAFKA-20111. And thanks for your fix and for > proposing KAFKA-20144 to address this. > > That said, Chia-Ping and I found that handling both DESCRIBE and > DESCRIBE_CONFIGS privileges in handleListConfigResources gets messy which > is exactly why we proposed replacing DESCRIBE_CONFIGS with DESCRIBE there, > to simplify the logic. > > If we revert to DESCRIBE_CONFIGS, we're essentially keeping the current > implementation as-is - which, from my perspective, doesn't address the user > experience problem that motivated KAFKA-20144 in the first place. > > Best, > Kuan-Po Tseng > > On 2026/04/13 16:49:51 Andrew Schofield wrote: > > Hi Kuan-Po Tseng, > > This is probably going to be a tricky KIP. Trying to resolve historical > behaviour is always painful. > > > > I think the key here is to realise that this KIP is for listing the > resources which have configuration, and that's not the same as listing the > resources. The user is going to need DESCRIBE_CONFIGS on the specific > topics and groups in order to discover the configuration values themselves, > so if this RPC requires the same permission in order to list the resources > for which they can describe the configs, that seems OK to me. > > > > In KIP-1000, we require DESCRIBE_CONFIGS on the CLUSTER to find a list > of the client-metrics configs. > > > > In KIP-1142, there was no change and it's necessary to have > DESCRIBE_CONFIGS on the CLUSTER to list the resources of all supported > types. > > > > If you look at the ListGroups RPC, the user can list all groups if they > have DESCRIBE on the CLUSTER. If they do not, they can only see the groups > for which they have DESCRIBE on the GROUP. > > > > For this KIP, why couldn't we do a similar thing? If the user has > DESCRIBE_CONFIGS on the CLUSTER, they can see all of the resources which > have configs. If they do not, they can only see the resources for which > they have specific DESCRIBE_CONFIGS. > > > > Thanks, > > Andrew > > > > On 2026/04/06 15:28:17 Chia-Ping Tsai wrote: > > > hi Viquar > > > > > > Thanks for updating the KIP numbers. This helps keep things organized. > > > > > > Best, > > > Chia-Ping > > > > > > On 2026/04/06 05:53:06 vaquar khan wrote: > > > > Hi Chia-Ping , > > > > > > > > As discussed I have updated my KIP with 1316 and 1317. > > > > > > > > Regards, > > > > Viquar Khan > > > > > > > > On Mon, 6 Apr 2026 at 00:32, Chia-Ping Tsai <[email protected]> > wrote: > > > > > > > > > hi Viquar > > > > > > > > > > > It is each owner’s responsibility to ensure their KIP number > does not > > > > > override an existing one. > > > > > > > > > > Just a gentle reminder that the process mentions we should "Update > the next > > > > > available KIP number below". You can find the details here: > > > > > > > > > > > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=50859233#KafkaImprovementProposals-Process > > > > > > > > > > It is totally fine to have an occasional conflict with one KIP. > However, it > > > > > seems several KIPs were created without incrementing the number, > which has > > > > > unfortunately caused conflicts for several other contributors. > > > > > > > > > > Would you mind updating your KIP numbers instead? If you have any > questions > > > > > or concerns, please let me know. > > > > > > > > > > Best, > > > > > Chia-Ping > > > > > > > > > > vaquar khan <[email protected]> 於 2026年4月6日週一 下午12:49寫道: > > > > > > > > > > > Hi Kaun, > > > > > > > > > > > > Please search(search box) the current KIP list to verify that > your > > > > > > assigned number does not already exist. If you find a conflict, > check the > > > > > > creation dates; if your KIP was created later, please update it > to a > > > > > > unique, available number. > > > > > > > > > > > > It is each owner’s responsibility to ensure their KIP number > does not > > > > > > override an existing one. > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > Viquar Khan > > > > > > > > > > > > > > > > > > On Sun, Apr 5, 2026, 11:24 PM Chia-Ping Tsai <[email protected]> > wrote: > > > > > > > > > > > > > hi all, > > > > > > > > > > > > > > Just a gentle reminder: please remember to increment the "Next > KIP > > > > > > Number" > > > > > > > after taking a number. This will help avoid potential > conflicts. > > > > > > > > > > > > > > Best, > > > > > > > Chia-Ping > > > > > > > > > > > > > > Kuan-Po Tseng <[email protected]> 於 2026年4月6日週一 下午12:18寫道: > > > > > > > > > > > > > > > Hi Vaquar — I checked the Kafka Improvement Proposals > > > > > > > > < > > > > > > > > > > > > > > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals > > > > > > > > > > > > > > > > > page and don't see another KIP using 1298. > > > > > > > > Could you pick the next available KIP number and update > accordingly? > > > > > > > > > > > > > > > > On Mon, Apr 6, 2026 at 12:10 PM vaquar khan < > [email protected]> > > > > > > > wrote: > > > > > > > > > > > > > > > > > Could you please correct Kip 1298 , we already have same > no , I > > > > > > created > > > > > > > > few > > > > > > > > > weeks back. > > > > > > > > > > > > > > > > > > > > > > > > > > > Regards, > > > > > > > > > Viquar Kha > > > > > > > > > > > > > > > > > > On Sun, Apr 5, 2026, 10:34 PM Kuan Po Tseng < > [email protected]> > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Thanks again for the input! > > > > > > > > > > > > > > > > > > > > chia_01: Sure, we can add a debug message on the server > side when > > > > > > > > > response > > > > > > > > > > is empty and using v2 with only DESCRIBE_CONFIGS on > CLUSTER and > > > > > > > > DESCRIBE > > > > > > > > > on > > > > > > > > > > CLUSTER not set. Additionally, I think it would be > helpful to > > > > > add a > > > > > > > > > warning > > > > > > > > > > message in ConfigCommand when the LIST_CONFIG_RESOURCE > API > > > > > response > > > > > > > is > > > > > > > > > > empty, to let users know they may need to update their > ACL. > > > > > > > > > > > > > > > > > > > > On 2026/04/05 08:55:06 Chia-Ping Tsai wrote: > > > > > > > > > > > chia_01: Regarding the migration plan, I have a > concern about > > > > > > > > potential > > > > > > > > > > user confusion. Since clients using v2 with only > DESCRIBE_CONFIGS > > > > > > > will > > > > > > > > > > receive an empty response rather than an authorization > error, > > > > > this > > > > > > > > silent > > > > > > > > > > failure might be very hard to debug. Should we consider > logging a > > > > > > > > warning > > > > > > > > > > message in this specific scenario to help users identify > the > > > > > > missing > > > > > > > > > > DESCRIBE ACL? > > > > > > > > > > > > > > > > > > > > > > On 2026/04/05 03:48:16 Kuan-Po Tseng wrote: > > > > > > > > > > > > Thanks for the feedback, Chia-Ping! > > > > > > > > > > > > > > > > > > > > > > > > chia_00: That's a fair point. I'm a bit hesitant to > handle > > > > > > > > > > DESCRIBE_CONFIGS > > > > > > > > > > > > in handleTopicMetadataRequest and > handleListGroupsRequest, > > > > > > > > > > > > since those APIs return more than just names. > Exposing > > > > > > > topic/group > > > > > > > > > > names > > > > > > > > > > > > based on a config-oriented permission feels > semantically > > > > > > > > misaligned, > > > > > > > > > > > > and I'm not sure it adds much value. > > > > > > > > > > > > Another approach worth considering: we could bump > the API > > > > > > version > > > > > > > > of > > > > > > > > > > > > LIST_CONFIG_RESOURCES and switch to DESCRIBE instead > of > > > > > > > > > > > > DESCRIBE_CONFIGS, aligning it with other > resource-related > > > > > APIs. > > > > > > > > > > > > > > > > > > > > > > > > I’ll update the KIP later, and would love to hear > others' > > > > > > > thoughts > > > > > > > > on > > > > > > > > > > this! > > > > > > > > > > > > > > > > > > > > > > > > On Sun, Apr 5, 2026 at 12:52 AM Chia-Ping Tsai < > > > > > > > > [email protected]> > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > chia_00: For the sake of consistency, if we permit > > > > > > > > DESCRIBE_CONFIGS > > > > > > > > > > to > > > > > > > > > > > > > expose topic and group names in > LIST_CONFIG_RESOURCES, > > > > > should > > > > > > > we > > > > > > > > > > also align > > > > > > > > > > > > > handleTopicMetadataRequest and > handleListGroupsRequest? > > > > > > > > Currently, > > > > > > > > > > they > > > > > > > > > > > > > strictly require DESCRIBE. > > > > > > > > > > > > > > > > > > > > > > > > > > On 2026/04/04 16:40:08 Kuan-Po Tseng wrote: > > > > > > > > > > > > > > Hello everyone, > > > > > > > > > > > > > > > > > > > > > > > > > > > > I would like to start a discussion thread on > KIP-1298 > > > > > which > > > > > > > > fixes > > > > > > > > > > an > > > > > > > > > > > > > > authorization inconsistency in > LIST_CONFIG_RESOURCES. > > > > > Today > > > > > > > the > > > > > > > > > RPC > > > > > > > > > > > > > > requires DESCRIBE_CONFIGS on CLUSTER for all > resource > > > > > > types, > > > > > > > > > which > > > > > > > > > > is > > > > > > > > > > > > > > stricter than comparable RPCs like LIST_GROUPS > and > > > > > > METADATA. > > > > > > > > The > > > > > > > > > > > > > practical > > > > > > > > > > > > > > impact is that `kafka-configs.sh --describe > --entity-type > > > > > > > > groups` > > > > > > > > > > > > > silently > > > > > > > > > > > > > > returns incomplete results for users holding > DESCRIBE but > > > > > > not > > > > > > > > > > > > > > DESCRIBE_CONFIGS on CLUSTER. > > > > > > > > > > > > > > > > > > > > > > > > > > > > More details, please check > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/x/ZJI8G > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > Kuan-Po Tseng > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >
