Hey Rajini, good work on the KIP!
I'm personally not thrilled with piggy-backing the authorized_operations on existing APIs, it seems like a mix of concerns. Since there is already the notion of generic ResourceType,ResourceName tuples in the Admin API, I believe it would make more sense to add a new Admin protocol request to retrieve this information, which gives consistency and future-proofness when adding new resource types. It would be useful to see, or link to, the full list of operations. Small nit: the MetadataResponse is missing the per-topic authorized_operation in the field listing, or if I'm confusing it with the cluster level authorized_operation? Thanks, Magnus Den ons 13 feb. 2019 kl 11:17 skrev Satish Duggana <satish.dugg...@gmail.com >: > Hi Rajini, > Thanks for the KIP. > KIP proposes to add a new field called `authorized_operations` which > is an array of Byte values. I guess these are APIKeys#id for > respective operations. Do you plan to have an array of ids or an array > of respective ApiKeys enum values in > MetadataResponse/DescribGroupsResponse classes? > > Thanks, > Satish. > > On Wed, Feb 13, 2019 at 12:33 AM Rajini Sivaram <rajinisiva...@gmail.com> > wrote: > > > > Hi all, > > > > I have created a KIP to optionally request authorised operations on > > resources when describing resources: > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-430+-+Return+Authorized+Operations+in+Describe+Responses > > > > This includes only information that users with Describe access can obtain > > using other means and hence is consistent with our security model. It is > > intended to made it easier for clients to obtain this information. > > > > Feedback and suggestions welcome. > > > > Thank you, > > > > Rajini >
