Hey Vahid, Thanks for the KIP. If I understand the you correctly, you want client to be able to list all the groups for which it currently has the describe access.
As of now the ListGroupRequest does not allow user to specify the group. If user does not have the Describe Cluster access, ListGroupResponse will return error. This KIP proposes to change the semantics of ListGroupsResponse such that ListGroupResponse will return the subset of groups for which the user has the Describe access. And if the does not have Describe access to any group, ListGroupResponse will return an empty list with no error. In my opinion this changes the semantics of ListGroupsResponse in a counter-intuitive way. Usually we use the ACL to determine whether the operation on the specified object can be performed or not. The response should provide either an error message or the result for the specified object. I couldn't remember a case where the ACL is used to filter the result without providing error. Do you think this could be a problem for this KIP? Thanks, Dong On Wed, Nov 29, 2017 at 3:18 PM, Vahid S Hashemian < vahidhashem...@us.ibm.com> wrote: > Completing the subject line :) > > > > From: "Vahid S Hashemian" <vahidhashem...@us.ibm.com> > To: dev <dev@kafka.apache.org> > Date: 11/29/2017 03:17 PM > Subject: [DISCUSS] KIP-231: > > > > Hi everyone, > > I started KIP-231 to propose a small change to the required ACL of > ListGroups API (in response to KAFKA-5638): > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.a > pache.org_confluence_display_KAFKA_KIP-2D231-253A-2BImprove- > 2Bthe-2BRequired-2BACL-2Bof-2BListGroups-2BAPI&d=DwIFAg&c= > jf_iaSHvJObTbx-siA1ZOg&r=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJ > c7uSVcviKUc&m=XjHVTsIl7t-z0NBesB0U-ptMMm6mmpy3UqS8TjJM5yM&s= > eu378oaLvC0Wzbfcz15Rwo4nqdrO11ENLK6v9Kq9Z6w&e= > > Your feedback and suggestions are welcome! > > Thanks. > --Vahid > > > > > > >
