Hi Michael, Thanks for taking the time to review. Currently I did not plan on adding “Deny” but I guess it can’t hurt except for adding more constructs would probably make the acls more complex.
When a topic is created with no acls provided , I was planning to add a default ACL which would allow access to everyone from all hosts. I am assuming you are referring to principal in Acl and acls were supposed to be provided in property files, stored in zk so I thought it is better to just refer to a string. We will always be using session.principal.getName to get the actual principal name. Thanks Parth On 3/18/15, 2:20 PM, "Michael Herstine" <mherst...@linkedin.com.INVALID> wrote: >Hi Parth, > >Thanks! A few questions: > >1. Do you want to permit rules in your ACLs that DENY access as well as >ALLOW? This can be handy setting up rules that have exceptions. E.g. >“Allow principal P to READ resource R from all hosts” with “Deny principal >P READ access to resource R from host H1” in combination would allow P to >READ R from all hosts *except* H1. > >2. When a topic is newly created, will there be an ACL created for it? If >not, would that not deny subsequent access to it? > >(nit) Maybe use Principal instead of String to represent principals? > > >On 3/9/15, 11:48 AM, "Don Bosco Durai" <bo...@apache.org> wrote: > >>Parth >> >>Overall it is looking good. Couple of questionsŠ >> >>- Can you give an example how the policies will look like in the default >>implementation? >>- In the operations, can we support ³CONNECT² also? This can be used >>during Session connection >>- Regarding access control for ³Topic Creation², since we can¹t do it on >>the server side, can we de-scope it for? And plan it as a future feature >>request? >> >>Thanks >> >>Bosco >> >> >> >>On 3/6/15, 8:10 AM, "Harsha" <ka...@harsha.io> wrote: >> >>>Hi Parth, >>> Thanks for putting this together. Overall it looks good to >>> me. Although AdminUtils is a concern KIP-4 can probably fix >>> that part. >>>Thanks, >>>Harsha >>> >>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote: >>>> Forgot to add links to wiki and jira. >>>> >>>> Link to wiki: >>>> >>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizatio >>>>n >>>>+ >>>>Interface >>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688 >>>> >>>> Thanks >>>> Parth >>>> >>>> From: Parth Brahmbhatt >>>> <pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com>> >>>> Date: Thursday, March 5, 2015 at 10:33 AM >>>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>" >>>> <dev@kafka.apache.org<mailto:dev@kafka.apache.org>> >>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security >>>> >>>> Hi, >>>> >>>> KIP-11 is open for discussion , I have updated the wiki with the >>>>design >>>> and open questions. >>>> >>>> Thanks >>>> Parth >> >> >
