handfreezer opened a new pull request, #16361: URL: https://github.com/apache/kafka/pull/16361
Default StandardAuthorizer in Kraft mode is defining a KafkaPrincpal as type=User and a name, and a special wildcard eventually. The difficulty with this solution is that we can't define ACL by group of KafkaPrincipal. There is a way for the moment to do so by defining RULE to rewrite the KafkaPrincipal name field, BUT, to introduce this way the notion of group, you have to set rules which will make you loose the uniq part of the KafkaPrincipal name of the connected client. The concept here, in the StandardAuthorizer of Kafka Kraft, is to add the management of KafkaPrincipal type: Regex StartsWith EndsWith Contains (User is still available and keep working as before to avoid any regression/issue with current configurations) This would be done in the StandardAcl class of metadata/authorizer, and the findresult method of StandardAuthorizerData will delegate the match to the StandardAcl class (for performance reason: precompile regex in ACL). *I added tests in metadat, and run ./gradlew test from kafak:trunk and my fork: no more failed test on my branch than kafka:trunk ### Committer Checklist (excluded from commit message) - [ x ] Verify design and implementation => thanks to spell checker in gradle process - [ x ] Verify test coverage and CI build status => adding few tests in metadata, an run gradlew test without more failed test thant kafka:trunk - [ x ] Verify documentation (including upgrade notes) : added few lines in doc, no upgrade info as the previous behaviour should still work as before. [Link to the JIRA-16707](https://issues.apache.org/jira/browse/KAFKA-16707) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org