Hi Rajini,

Thanks for the KIP!

The KIP specifies that "Authorized operations will be returned as [an] INT8 
consistent with [the] AclOperation used in ACL requests and responses."  But 
there may be more than one AclOperation that is applied to a given resource.  
For example, a principal may have both READ and WRITE permission on a topic.

One option for representing this would be a bitfield.  A 32-bit bitfield could 
have the appropriate bits set.  For example, if READ and WRITE operations were 
permitted, bits 3 and 4 could be set.

Another thing to think about here is that certain AclOperations imply certain 
others.  For example, having WRITE on a topic gives you DESCRIBE on that topic 
as well automatically.  Does that mean that a topic with WRITE on it should 
automatically get DESCRIBE set in the bitfield?  I would argue that the answer 
is yes, for consistency's sake.

We will inevitably add new AclOperations over time, and we have to think about 
how to do this in a compatible way.  The simplest approach would be to just 
leave out the new AclOperations when a describe request comes in from an older 
version client.  This should be spelled out in the compatibility section.

best,
Colin


On Thu, Feb 21, 2019, at 02:28, Rajini Sivaram wrote:
> I would like to start vote on KIP-430 to optionally obtain authorized
> operations when describing resources:
> 
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-430+-+Return+Authorized+Operations+in+Describe+Responses
> 
> Thank you,
> 
> Rajini
>

Reply via email to