[
https://issues.apache.org/jira/browse/KAFKA-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15222443#comment-15222443
]
Ashish K Singh commented on KAFKA-3469:
---------------------------------------
Copying some relevant info from KIP-38 discuss thread.
{quote}
> > Thanks for the clarification on that, Jun. Obviously, we haven't been
> doing
> > much with ZK authentication around here yet. There is still a small
> concern
> > there, mostly in that you should not share credentials any more than is
> > necessary, which would argue for being able to use a different ACL than
> the
> > default. I don't really like the idea of having to use the exact same
> > credentials for executing the admin tools as we do for running the
> brokers.
> > Given that we don't need to share the credentials with all consumers, I
> > think we can work around it.
> >
>
> Let me add that a feature to separate the sub-trees of users sharing an
> ensemble is chroot.
>
> On different credentials for admin tools, this sounds doable by setting
> the ACLs of znodes. For example, there could be an admin id and a broker
> id, both with the ability of changing znodes, but different credentials.
> Would something like that work for you?
>
It would be a nice option to have, as the credentials can be protected
differently. I would consider this a nice to have, and not an "absolutely
must have" feature at this point.
{quote}
[~fpj] if I am correct, this is what you are referring to, right?
> kafka-topics lock down znodes with user principal when zk security is enabled.
> ------------------------------------------------------------------------------
>
> Key: KAFKA-3469
> URL: https://issues.apache.org/jira/browse/KAFKA-3469
> Project: Kafka
> Issue Type: Bug
> Reporter: Ashish K Singh
> Assignee: Ashish K Singh
>
> In envs where ZK is kerberized, if a user, other than user running kafka
> processes, creates a topic, ZkUtils will lock down corresponding znodes for
> the user. Kafka will not be able to modify those znodes and that leaves the
> topic unusable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
