Hi Rajini, Thanks for the KIP!
The KIP specifies that "Authorized operations will be returned as [an] INT8 consistent with [the] AclOperation used in ACL requests and responses." But there may be more than one AclOperation that is applied to a given resource. For example, a principal may have both READ and WRITE permission on a topic. One option for representing this would be a bitfield. A 32-bit bitfield could have the appropriate bits set. For example, if READ and WRITE operations were permitted, bits 3 and 4 could be set. Another thing to think about here is that certain AclOperations imply certain others. For example, having WRITE on a topic gives you DESCRIBE on that topic as well automatically. Does that mean that a topic with WRITE on it should automatically get DESCRIBE set in the bitfield? I would argue that the answer is yes, for consistency's sake. We will inevitably add new AclOperations over time, and we have to think about how to do this in a compatible way. The simplest approach would be to just leave out the new AclOperations when a describe request comes in from an older version client. This should be spelled out in the compatibility section. best, Colin On Thu, Feb 21, 2019, at 02:28, Rajini Sivaram wrote: > I would like to start vote on KIP-430 to optionally obtain authorized > operations when describing resources: > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-430+-+Return+Authorized+Operations+in+Describe+Responses > > Thank you, > > Rajini >
