[ https://issues.apache.org/jira/browse/KAFKA-3469?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15222443#comment-15222443 ]
Ashish K Singh commented on KAFKA-3469: --------------------------------------- Copying some relevant info from KIP-38 discuss thread. {quote} > > Thanks for the clarification on that, Jun. Obviously, we haven't been > doing > > much with ZK authentication around here yet. There is still a small > concern > > there, mostly in that you should not share credentials any more than is > > necessary, which would argue for being able to use a different ACL than > the > > default. I don't really like the idea of having to use the exact same > > credentials for executing the admin tools as we do for running the > brokers. > > Given that we don't need to share the credentials with all consumers, I > > think we can work around it. > > > > Let me add that a feature to separate the sub-trees of users sharing an > ensemble is chroot. > > On different credentials for admin tools, this sounds doable by setting > the ACLs of znodes. For example, there could be an admin id and a broker > id, both with the ability of changing znodes, but different credentials. > Would something like that work for you? > It would be a nice option to have, as the credentials can be protected differently. I would consider this a nice to have, and not an "absolutely must have" feature at this point. {quote} [~fpj] if I am correct, this is what you are referring to, right? > kafka-topics lock down znodes with user principal when zk security is enabled. > ------------------------------------------------------------------------------ > > Key: KAFKA-3469 > URL: https://issues.apache.org/jira/browse/KAFKA-3469 > Project: Kafka > Issue Type: Bug > Reporter: Ashish K Singh > Assignee: Ashish K Singh > > In envs where ZK is kerberized, if a user, other than user running kafka > processes, creates a topic, ZkUtils will lock down corresponding znodes for > the user. Kafka will not be able to modify those znodes and that leaves the > topic unusable. -- This message was sent by Atlassian JIRA (v6.3.4#6332)