Hi Colin, Thanks for the review. Sorry I meant that an array of INT8's, each of which is an AclOperation code will be returned. I have clarified that in the KIP.
All permitted operations will be returned from the set of supported operations on each resource. This is regardless of whether the access was implicitly or explicitly granted. Have clarified that in the KIP. Since the values returned are INT8 codes, clients can simply ignore any they don't recognize. Java clients convert these into AclOperation.UNKNOWN. That way we don't need to update Metadata/describe request versions when new operations are added to a resource. This is consistent with DescribeAcls behaviour. Have added this to the compatibility section of the KIP. Thank you, Rajini On Fri, Feb 22, 2019 at 6:46 PM Colin McCabe <cmcc...@apache.org> wrote: > Hi Rajini, > > Thanks for the KIP! > > The KIP specifies that "Authorized operations will be returned as [an] > INT8 consistent with [the] AclOperation used in ACL requests and > responses." But there may be more than one AclOperation that is applied to > a given resource. For example, a principal may have both READ and WRITE > permission on a topic. > > One option for representing this would be a bitfield. A 32-bit bitfield > could have the appropriate bits set. For example, if READ and WRITE > operations were permitted, bits 3 and 4 could be set. > > Another thing to think about here is that certain AclOperations imply > certain others. For example, having WRITE on a topic gives you DESCRIBE on > that topic as well automatically. Does that mean that a topic with WRITE > on it should automatically get DESCRIBE set in the bitfield? I would argue > that the answer is yes, for consistency's sake. > > We will inevitably add new AclOperations over time, and we have to think > about how to do this in a compatible way. The simplest approach would be > to just leave out the new AclOperations when a describe request comes in > from an older version client. This should be spelled out in the > compatibility section. > > best, > Colin > > > On Thu, Feb 21, 2019, at 02:28, Rajini Sivaram wrote: > > I would like to start vote on KIP-430 to optionally obtain authorized > > operations when describing resources: > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-430+-+Return+Authorized+Operations+in+Describe+Responses > > > > Thank you, > > > > Rajini > > >
