Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Hi Ewen, Thanks for reviewing the KIP. Your comment about the "food for thought" section makes sense. It seems like a bug to me, not sure how you and others feel about it. I'll remove it for now, and open a separate JIRA for it, so we have a record of it. The read vs. write discussion and fixing the confusion seems to be an even bigger task, and will be addressed in its own KIP, if necessary. The KIP will be updated shortly. Thanks again. --Vahid From: Ewen Cheslack-Postava To: d...@kafka.apache.org Cc: Kafka User Date: 07/24/2017 10:36 AM Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Vahid, Thanks for the KIP. I think we're mostly in violent agreement that the lack of any Write permissions on consumer groups is confusing. Unfortunately it's a pretty annoying issue to fix since it would require an increase in permissions. More generally, I think it's unfortunate because by squeezing all permissions into the lowest two levels, we have no room for refinement, e.g. if we realize some permission needs to have a lower level of access but higher than Describe, without adding new levels. I'm +1 on the KIP. I don't think it's ideal given the discussion of Read vs Write since I think Read is the correct permission in theory, but given where we are now it makes sense. Regarding the extra food for thought, I think such a change would require some plan for how to migrate people over to it. The main proposal in the KIP works without any migration plan because it is reducing the required permissions, but changing the requirement for listing a group to Describe (Group) would be adding/changing the requirements, which would be backwards incompatible. I'd be open to doing it, but it'd require some thought about how it would impact users and how we'd migrate them to the updated rule (or just agree that it is a bug and that including upgrade notes would be sufficient). -Ewen On Mon, Jul 10, 2017 at 1:12 PM, Vahid S Hashemian < vahidhashem...@us.ibm.com> wrote: > I'm bumping this up again to get some feedback, especially from some of > the committers, on the KIP and on the note below. > > Thanks. > --Vahid > > > > > From: "Vahid S Hashemian" > To: d...@kafka.apache.org > Cc: "Kafka User" > Date: 06/21/2017 12:49 PM > Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > Permission of OffsetFetch > > > > I appreciate everyone's feedback so far on this KIP. > > Before starting a vote, I'd like to also ask for feedback on the > "Additional Food for Thought" section in the KIP: > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > 163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163: > LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought > > I just added some more details in that section, which I hope further > clarifies the suggestion there. > > Thanks. > --Vahid > > > > > > > > > > >
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Vahid, Thanks for the KIP. I think we're mostly in violent agreement that the lack of any Write permissions on consumer groups is confusing. Unfortunately it's a pretty annoying issue to fix since it would require an increase in permissions. More generally, I think it's unfortunate because by squeezing all permissions into the lowest two levels, we have no room for refinement, e.g. if we realize some permission needs to have a lower level of access but higher than Describe, without adding new levels. I'm +1 on the KIP. I don't think it's ideal given the discussion of Read vs Write since I think Read is the correct permission in theory, but given where we are now it makes sense. Regarding the extra food for thought, I think such a change would require some plan for how to migrate people over to it. The main proposal in the KIP works without any migration plan because it is reducing the required permissions, but changing the requirement for listing a group to Describe (Group) would be adding/changing the requirements, which would be backwards incompatible. I'd be open to doing it, but it'd require some thought about how it would impact users and how we'd migrate them to the updated rule (or just agree that it is a bug and that including upgrade notes would be sufficient). -Ewen On Mon, Jul 10, 2017 at 1:12 PM, Vahid S Hashemian < vahidhashem...@us.ibm.com> wrote: > I'm bumping this up again to get some feedback, especially from some of > the committers, on the KIP and on the note below. > > Thanks. > --Vahid > > > > > From: "Vahid S Hashemian" > To: d...@kafka.apache.org > Cc: "Kafka User" > Date: 06/21/2017 12:49 PM > Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > Permission of OffsetFetch > > > > I appreciate everyone's feedback so far on this KIP. > > Before starting a vote, I'd like to also ask for feedback on the > "Additional Food for Thought" section in the KIP: > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > 163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163: > LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought > > I just added some more details in that section, which I hope further > clarifies the suggestion there. > > Thanks. > --Vahid > > > > > > > > > > >
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
I'm bumping this up again to get some feedback, especially from some of the committers, on the KIP and on the note below. Thanks. --Vahid From: "Vahid S Hashemian" To: d...@kafka.apache.org Cc: "Kafka User" Date: 06/21/2017 12:49 PM Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch I appreciate everyone's feedback so far on this KIP. Before starting a vote, I'd like to also ask for feedback on the "Additional Food for Thought" section in the KIP: https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163:LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought I just added some more details in that section, which I hope further clarifies the suggestion there. Thanks. --Vahid
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
I appreciate everyone's feedback so far on this KIP. Before starting a vote, I'd like to also ask for feedback on the "Additional Food for Thought" section in the KIP: https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch#KIP-163:LowertheMinimumRequiredACLPermissionofOffsetFetch-AdditionalFoodforThought I just added some more details in that section, which I hope further clarifies the suggestion there. Thanks. --Vahid From: Vahid S Hashemian/Silicon Valley/IBM To: d...@kafka.apache.org Cc: "Kafka User" Date: 06/08/2017 11:29 AM Subject: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi all, I'm resending my earlier note hoping it would spark some conversation this time around :) Thanks. --Vahid From: "Vahid S Hashemian" To: dev , "Kafka User" Date: 05/30/2017 08:33 AM Subject:KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi, I started a new KIP to improve the minimum required ACL permissions of some of the APIs: https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch The KIP is to address KAFKA-4585. Feedback and suggestions are welcome! Thanks. --Vahid
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
+1 On 19/06/17 21:31, Vahid S Hashemian wrote: Thanks everyone. Great discussion. Because these Read or Write actions are interpreted in conjunction with particular resources (Topic, Group, ...) it would also make more sense to me that for committing offsets the ACL should be (Group, Write). So, a consumer would be required to have (Topic, Read), (Group, Write) ACLs in order to function. --Vahid From: Colin McCabe To: users@kafka.apache.org Date: 06/19/2017 11:01 AM Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Thanks for the explanation. I still think it would be better to have the mutation operations require write ACLs, though. It might not be 100% intuitive for novice users, but the current split between Describe and Read is not intuitive for either novice or experienced users. In any case, I am +1 on the incremental improvement discussed in KIP-163. cheers, Colin On Sat, Jun 17, 2017, at 11:11, Hans Jespersen wrote: Offset commit is something that is done in the act of consuming (or reading) Kafka messages. Yes technically it is a write to the Kafka consumer offset topic but it's much easier for administers to think of ACLs in terms of whether the user is allowed to write (Produce) or read (Consume) messages and not the lower level semantics that are that consuming is actually reading AND writing (albeit only to the offset topic). -hans On Jun 17, 2017, at 10:59 AM, Viktor Somogyi wrote: Hi Vahid, +1 for OffsetFetch from me too. I also wanted to ask the strangeness of the permissions, like why is OffsetCommit a Read operation instead of Write which would intuitively make more sense to me. Perhaps any expert could shed some light on this? :) Viktor On Tue, Jun 13, 2017 at 2:38 PM, Vahid S Hashemian < vahidhashem...@us.ibm.com <mailto:vahidhashem...@us.ibm.com>> wrote: Hi Michal, Thanks a lot for your feedback. Your statement about Heartbeat is fair and makes sense. I'll update the KIP accordingly. --Vahid From:Michal Borowiecki To:users@kafka.apache.org, Vahid S Hashemian < vahidhashem...@us.ibm.com>, d...@kafka.apache.org Date:06/13/2017 01:35 AM Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch -- Hi Vahid, +1 wrt OffsetFetch. The "Additional Food for Thought" mentions Heartbeat as a non-mutating action. I don't think that's true as the GroupCoordinator updates the latestHeartbeat field for the member and adds a new object to the heartbeatPurgatory, see completeAndScheduleNextHeartbeatExpiration() called from handleHeartbeat() NB added dev mailing list back into CC as it seems to have been lost along the way. Cheers, Michał On 12/06/17 18:47, Vahid S Hashemian wrote: Hi Colin, Thanks for the feedback. To be honest, I'm not sure either why Read was selected instead of Write for mutating APIs in the initial design (I asked Ewen on the corresponding JIRA and he seemed unsure too). Perhaps someone who was involved in the design can clarify. Thanks. --Vahid From: Colin McCabe *mailto:cmcc...@apache.org * mailto:cmcc...@apache.org>> To: *users@kafka.apache.org <mailto:users@kafka.apache.org>* mailto:users@kafka.apache.org>> Date: 06/12/2017 10:11 AM Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi Vahid, I think you make a valid point that the ACLs controlling group operations are not very intuitive. This is probably a dumb question, but why are we using Read for mutating APIs? Shouldn't that be Write? The distinction between Describe and Read makes a lot of sense for Topics. A group isn't really something that you "read" from in the same way as a topic, so it always felt kind of weird there. best, Colin On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: Hi all, I'm resending my earlier note hoping it would spark some conversation this time around :) Thanks. --Vahid From: "Vahid S Hashemian" * mailto:vahidhashem...@us.ibm.com>>* mailto:vahidhashem...@us.ibm.com>> To: dev *mailto:d...@kafka.apache.org>>* mailto:d...@kafka.apache.org>>, "Kafka User" *mailto:users@kafka.apache.org>>* mailto:users@kafka.apache.org>> Date: 05/30/2017 08:33 AM Subject:KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi, I started a new KIP to improve the minimum required ACL permissions of some of the APIs: *https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch* < https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch* < https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Low
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Thanks everyone. Great discussion. Because these Read or Write actions are interpreted in conjunction with particular resources (Topic, Group, ...) it would also make more sense to me that for committing offsets the ACL should be (Group, Write). So, a consumer would be required to have (Topic, Read), (Group, Write) ACLs in order to function. --Vahid From: Colin McCabe To: users@kafka.apache.org Date: 06/19/2017 11:01 AM Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Thanks for the explanation. I still think it would be better to have the mutation operations require write ACLs, though. It might not be 100% intuitive for novice users, but the current split between Describe and Read is not intuitive for either novice or experienced users. In any case, I am +1 on the incremental improvement discussed in KIP-163. cheers, Colin On Sat, Jun 17, 2017, at 11:11, Hans Jespersen wrote: > > Offset commit is something that is done in the act of consuming (or > reading) Kafka messages. > Yes technically it is a write to the Kafka consumer offset topic but it's > much easier for > administers to think of ACLs in terms of whether the user is allowed to > write (Produce) or > read (Consume) messages and not the lower level semantics that are that > consuming is actually > reading AND writing (albeit only to the offset topic). > > -hans > > > > > > On Jun 17, 2017, at 10:59 AM, Viktor Somogyi wrote: > > > > Hi Vahid, > > > > +1 for OffsetFetch from me too. > > > > I also wanted to ask the strangeness of the permissions, like why is > > OffsetCommit a Read operation instead of Write which would intuitively make > > more sense to me. Perhaps any expert could shed some light on this? :) > > > > Viktor > > > > On Tue, Jun 13, 2017 at 2:38 PM, Vahid S Hashemian < > > vahidhashem...@us.ibm.com <mailto:vahidhashem...@us.ibm.com>> wrote: > > > >> Hi Michal, > >> > >> Thanks a lot for your feedback. > >> > >> Your statement about Heartbeat is fair and makes sense. I'll update the > >> KIP accordingly. > >> > >> --Vahid > >> > >> > >> > >> > >> From:Michal Borowiecki > >> To:users@kafka.apache.org, Vahid S Hashemian < > >> vahidhashem...@us.ibm.com>, d...@kafka.apache.org > >> Date:06/13/2017 01:35 AM > >> Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > >> Permission of OffsetFetch > >> -- > >> > >> > >> > >> Hi Vahid, > >> > >> +1 wrt OffsetFetch. > >> > >> The "Additional Food for Thought" mentions Heartbeat as a non-mutating > >> action. I don't think that's true as the GroupCoordinator updates the > >> latestHeartbeat field for the member and adds a new object to the > >> heartbeatPurgatory, see completeAndScheduleNextHeartbeatExpiration() > >> called from handleHeartbeat() > >> > >> NB added dev mailing list back into CC as it seems to have been lost along > >> the way. > >> > >> Cheers, > >> > >> Michał > >> > >> > >> On 12/06/17 18:47, Vahid S Hashemian wrote: > >> Hi Colin, > >> > >> Thanks for the feedback. > >> > >> To be honest, I'm not sure either why Read was selected instead of Write > >> for mutating APIs in the initial design (I asked Ewen on the corresponding > >> JIRA and he seemed unsure too). > >> Perhaps someone who was involved in the design can clarify. > >> > >> Thanks. > >> --Vahid > >> > >> > >> > >> > >> From: Colin McCabe *mailto:cmcc...@apache.org >>* mailto:cmcc...@apache.org>> > >> To: *users@kafka.apache.org <mailto:users@kafka.apache.org>* mailto:users@kafka.apache.org>> > >> Date: 06/12/2017 10:11 AM > >> Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > >> Permission of OffsetFetch > >> > >> > >> > >> Hi Vahid, > >> > >> I think you make a valid point that the ACLs controlling group > >> operations are not very intuitive. > >> > >> This is probably a dumb question, but why are we using Read for mutating > >> APIs? Shouldn't that be Write? > >> > >> The distinction between Descri
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Thanks for the explanation. I still think it would be better to have the mutation operations require write ACLs, though. It might not be 100% intuitive for novice users, but the current split between Describe and Read is not intuitive for either novice or experienced users. In any case, I am +1 on the incremental improvement discussed in KIP-163. cheers, Colin On Sat, Jun 17, 2017, at 11:11, Hans Jespersen wrote: > > Offset commit is something that is done in the act of consuming (or > reading) Kafka messages. > Yes technically it is a write to the Kafka consumer offset topic but it's > much easier for > administers to think of ACLs in terms of whether the user is allowed to > write (Produce) or > read (Consume) messages and not the lower level semantics that are that > consuming is actually > reading AND writing (albeit only to the offset topic). > > -hans > > > > > > On Jun 17, 2017, at 10:59 AM, Viktor Somogyi > > wrote: > > > > Hi Vahid, > > > > +1 for OffsetFetch from me too. > > > > I also wanted to ask the strangeness of the permissions, like why is > > OffsetCommit a Read operation instead of Write which would intuitively make > > more sense to me. Perhaps any expert could shed some light on this? :) > > > > Viktor > > > > On Tue, Jun 13, 2017 at 2:38 PM, Vahid S Hashemian < > > vahidhashem...@us.ibm.com <mailto:vahidhashem...@us.ibm.com>> wrote: > > > >> Hi Michal, > >> > >> Thanks a lot for your feedback. > >> > >> Your statement about Heartbeat is fair and makes sense. I'll update the > >> KIP accordingly. > >> > >> --Vahid > >> > >> > >> > >> > >> From: Michal Borowiecki > >> To:users@kafka.apache.org, Vahid S Hashemian < > >> vahidhashem...@us.ibm.com>, d...@kafka.apache.org > >> Date:06/13/2017 01:35 AM > >> Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > >> Permission of OffsetFetch > >> -- > >> > >> > >> > >> Hi Vahid, > >> > >> +1 wrt OffsetFetch. > >> > >> The "Additional Food for Thought" mentions Heartbeat as a non-mutating > >> action. I don't think that's true as the GroupCoordinator updates the > >> latestHeartbeat field for the member and adds a new object to the > >> heartbeatPurgatory, see completeAndScheduleNextHeartbeatExpiration() > >> called from handleHeartbeat() > >> > >> NB added dev mailing list back into CC as it seems to have been lost along > >> the way. > >> > >> Cheers, > >> > >> Michał > >> > >> > >> On 12/06/17 18:47, Vahid S Hashemian wrote: > >> Hi Colin, > >> > >> Thanks for the feedback. > >> > >> To be honest, I'm not sure either why Read was selected instead of Write > >> for mutating APIs in the initial design (I asked Ewen on the corresponding > >> JIRA and he seemed unsure too). > >> Perhaps someone who was involved in the design can clarify. > >> > >> Thanks. > >> --Vahid > >> > >> > >> > >> > >> From: Colin McCabe *mailto:cmcc...@apache.org>>* > >> mailto:cmcc...@apache.org>> > >> To: *users@kafka.apache.org <mailto:users@kafka.apache.org>* > >> mailto:users@kafka.apache.org>> > >> Date: 06/12/2017 10:11 AM > >> Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > >> Permission of OffsetFetch > >> > >> > >> > >> Hi Vahid, > >> > >> I think you make a valid point that the ACLs controlling group > >> operations are not very intuitive. > >> > >> This is probably a dumb question, but why are we using Read for mutating > >> APIs? Shouldn't that be Write? > >> > >> The distinction between Describe and Read makes a lot of sense for > >> Topics. A group isn't really something that you "read" from in the same > >> way as a topic, so it always felt kind of weird there. > >> > >> best, > >> Colin > >> > >> > >> On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: > >> > >> Hi all, > >> > >> I'm resending my earlier note hoping it would spark some conversation > >> this
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Got it, thanks Hans! On Sat, Jun 17, 2017 at 11:11 AM, Hans Jespersen wrote: > > Offset commit is something that is done in the act of consuming (or > reading) Kafka messages. > Yes technically it is a write to the Kafka consumer offset topic but it's > much easier for > administers to think of ACLs in terms of whether the user is allowed to > write (Produce) or > read (Consume) messages and not the lower level semantics that are that > consuming is actually > reading AND writing (albeit only to the offset topic). > > -hans > > > > > > On Jun 17, 2017, at 10:59 AM, Viktor Somogyi < > viktor.somo...@cloudera.com> wrote: > > > > Hi Vahid, > > > > +1 for OffsetFetch from me too. > > > > I also wanted to ask the strangeness of the permissions, like why is > > OffsetCommit a Read operation instead of Write which would intuitively > make > > more sense to me. Perhaps any expert could shed some light on this? :) > > > > Viktor > > > > On Tue, Jun 13, 2017 at 2:38 PM, Vahid S Hashemian < > > vahidhashem...@us.ibm.com <mailto:vahidhashem...@us.ibm.com>> wrote: > > > >> Hi Michal, > >> > >> Thanks a lot for your feedback. > >> > >> Your statement about Heartbeat is fair and makes sense. I'll update the > >> KIP accordingly. > >> > >> --Vahid > >> > >> > >> > >> > >> From:Michal Borowiecki > >> To:users@kafka.apache.org, Vahid S Hashemian < > >> vahidhashem...@us.ibm.com>, d...@kafka.apache.org > >> Date:06/13/2017 01:35 AM > >> Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > >> Permission of OffsetFetch > >> -- > >> > >> > >> > >> Hi Vahid, > >> > >> +1 wrt OffsetFetch. > >> > >> The "Additional Food for Thought" mentions Heartbeat as a non-mutating > >> action. I don't think that's true as the GroupCoordinator updates the > >> latestHeartbeat field for the member and adds a new object to the > >> heartbeatPurgatory, see completeAndScheduleNextHeartbeatExpiration() > >> called from handleHeartbeat() > >> > >> NB added dev mailing list back into CC as it seems to have been lost > along > >> the way. > >> > >> Cheers, > >> > >> Michał > >> > >> > >> On 12/06/17 18:47, Vahid S Hashemian wrote: > >> Hi Colin, > >> > >> Thanks for the feedback. > >> > >> To be honest, I'm not sure either why Read was selected instead of Write > >> for mutating APIs in the initial design (I asked Ewen on the > corresponding > >> JIRA and he seemed unsure too). > >> Perhaps someone who was involved in the design can clarify. > >> > >> Thanks. > >> --Vahid > >> > >> > >> > >> > >> From: Colin McCabe *mailto:cmcc...@apache.org>>* > mailto:cmcc...@apache.org>> > >> To: *users@kafka.apache.org <mailto:users@kafka.apache.org>* < > users@kafka.apache.org <mailto:users@kafka.apache.org>> > >> Date: 06/12/2017 10:11 AM > >> Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > >> Permission of OffsetFetch > >> > >> > >> > >> Hi Vahid, > >> > >> I think you make a valid point that the ACLs controlling group > >> operations are not very intuitive. > >> > >> This is probably a dumb question, but why are we using Read for mutating > >> APIs? Shouldn't that be Write? > >> > >> The distinction between Describe and Read makes a lot of sense for > >> Topics. A group isn't really something that you "read" from in the same > >> way as a topic, so it always felt kind of weird there. > >> > >> best, > >> Colin > >> > >> > >> On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: > >> > >> Hi all, > >> > >> I'm resending my earlier note hoping it would spark some conversation > >> this > >> time around :) > >> > >> Thanks. > >> --Vahid > >> > >> > >> > >> > >> From: "Vahid S Hashemian" * vahidhashem...@us.ibm.com>>* > >> mailto:vahidhashem...@us.
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Offset commit is something that is done in the act of consuming (or reading) Kafka messages. Yes technically it is a write to the Kafka consumer offset topic but it's much easier for administers to think of ACLs in terms of whether the user is allowed to write (Produce) or read (Consume) messages and not the lower level semantics that are that consuming is actually reading AND writing (albeit only to the offset topic). -hans > On Jun 17, 2017, at 10:59 AM, Viktor Somogyi > wrote: > > Hi Vahid, > > +1 for OffsetFetch from me too. > > I also wanted to ask the strangeness of the permissions, like why is > OffsetCommit a Read operation instead of Write which would intuitively make > more sense to me. Perhaps any expert could shed some light on this? :) > > Viktor > > On Tue, Jun 13, 2017 at 2:38 PM, Vahid S Hashemian < > vahidhashem...@us.ibm.com <mailto:vahidhashem...@us.ibm.com>> wrote: > >> Hi Michal, >> >> Thanks a lot for your feedback. >> >> Your statement about Heartbeat is fair and makes sense. I'll update the >> KIP accordingly. >> >> --Vahid >> >> >> >> >> From:Michal Borowiecki >> To:users@kafka.apache.org, Vahid S Hashemian < >> vahidhashem...@us.ibm.com>, d...@kafka.apache.org >> Date:06/13/2017 01:35 AM >> Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL >> Permission of OffsetFetch >> -- >> >> >> >> Hi Vahid, >> >> +1 wrt OffsetFetch. >> >> The "Additional Food for Thought" mentions Heartbeat as a non-mutating >> action. I don't think that's true as the GroupCoordinator updates the >> latestHeartbeat field for the member and adds a new object to the >> heartbeatPurgatory, see completeAndScheduleNextHeartbeatExpiration() >> called from handleHeartbeat() >> >> NB added dev mailing list back into CC as it seems to have been lost along >> the way. >> >> Cheers, >> >> Michał >> >> >> On 12/06/17 18:47, Vahid S Hashemian wrote: >> Hi Colin, >> >> Thanks for the feedback. >> >> To be honest, I'm not sure either why Read was selected instead of Write >> for mutating APIs in the initial design (I asked Ewen on the corresponding >> JIRA and he seemed unsure too). >> Perhaps someone who was involved in the design can clarify. >> >> Thanks. >> --Vahid >> >> >> >> >> From: Colin McCabe *mailto:cmcc...@apache.org>>* >> mailto:cmcc...@apache.org>> >> To: *users@kafka.apache.org <mailto:users@kafka.apache.org>* >> mailto:users@kafka.apache.org>> >> Date: 06/12/2017 10:11 AM >> Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL >> Permission of OffsetFetch >> >> >> >> Hi Vahid, >> >> I think you make a valid point that the ACLs controlling group >> operations are not very intuitive. >> >> This is probably a dumb question, but why are we using Read for mutating >> APIs? Shouldn't that be Write? >> >> The distinction between Describe and Read makes a lot of sense for >> Topics. A group isn't really something that you "read" from in the same >> way as a topic, so it always felt kind of weird there. >> >> best, >> Colin >> >> >> On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: >> >> Hi all, >> >> I'm resending my earlier note hoping it would spark some conversation >> this >> time around :) >> >> Thanks. >> --Vahid >> >> >> >> >> From: "Vahid S Hashemian" *> <mailto:vahidhashem...@us.ibm.com>>* >> mailto:vahidhashem...@us.ibm.com>> >> To: dev *mailto:d...@kafka.apache.org>>* >> mailto:d...@kafka.apache.org>>, "Kafka User" >> >> *mailto:users@kafka.apache.org>>* >> mailto:users@kafka.apache.org>> >> >> Date: 05/30/2017 08:33 AM >> Subject:KIP-163: Lower the Minimum Required ACL Permission of >> OffsetFetch >> >> >> >> Hi, >> >> I started a new KIP to improve the minimum required ACL permissions of >> some of the APIs: >> >> >> >> *https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch* >> >> <https://cwiki.apache.org/confluence/displa
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Hi Vahid, +1 for OffsetFetch from me too. I also wanted to ask the strangeness of the permissions, like why is OffsetCommit a Read operation instead of Write which would intuitively make more sense to me. Perhaps any expert could shed some light on this? :) Viktor On Tue, Jun 13, 2017 at 2:38 PM, Vahid S Hashemian < vahidhashem...@us.ibm.com> wrote: > Hi Michal, > > Thanks a lot for your feedback. > > Your statement about Heartbeat is fair and makes sense. I'll update the > KIP accordingly. > > --Vahid > > > > > From:Michal Borowiecki > To:users@kafka.apache.org, Vahid S Hashemian < > vahidhashem...@us.ibm.com>, d...@kafka.apache.org > Date: 06/13/2017 01:35 AM > Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > Permission of OffsetFetch > -- > > > > Hi Vahid, > > +1 wrt OffsetFetch. > > The "Additional Food for Thought" mentions Heartbeat as a non-mutating > action. I don't think that's true as the GroupCoordinator updates the > latestHeartbeat field for the member and adds a new object to the > heartbeatPurgatory, see completeAndScheduleNextHeartbeatExpiration() > called from handleHeartbeat() > > NB added dev mailing list back into CC as it seems to have been lost along > the way. > > Cheers, > > Michał > > > On 12/06/17 18:47, Vahid S Hashemian wrote: > Hi Colin, > > Thanks for the feedback. > > To be honest, I'm not sure either why Read was selected instead of Write > for mutating APIs in the initial design (I asked Ewen on the corresponding > JIRA and he seemed unsure too). > Perhaps someone who was involved in the design can clarify. > > Thanks. > --Vahid > > > > > From: Colin McCabe ** > To: *users@kafka.apache.org* > Date: 06/12/2017 10:11 AM > Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL > Permission of OffsetFetch > > > > Hi Vahid, > > I think you make a valid point that the ACLs controlling group > operations are not very intuitive. > > This is probably a dumb question, but why are we using Read for mutating > APIs? Shouldn't that be Write? > > The distinction between Describe and Read makes a lot of sense for > Topics. A group isn't really something that you "read" from in the same > way as a topic, so it always felt kind of weird there. > > best, > Colin > > > On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: > > Hi all, > > I'm resending my earlier note hoping it would spark some conversation > this > time around :) > > Thanks. > --Vahid > > > > > From: "Vahid S Hashemian" ** > > To: dev ** , "Kafka User" > > ** > > Date: 05/30/2017 08:33 AM > Subject:KIP-163: Lower the Minimum Required ACL Permission of > OffsetFetch > > > > Hi, > > I started a new KIP to improve the minimum required ACL permissions of > some of the APIs: > > > > *https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch* > <https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch> > > > > The KIP is to address KAFKA-4585. > > Feedback and suggestions are welcome! > > Thanks. > --Vahid > > > > > > > > > > > > > > > -- > <http://www.openbet.com/> *Michal Borowiecki* > *Senior Software Engineer L4* > *T: * +44 208 742 1600 <(208)%20742-1600> > +44 203 249 8448 <(203)%20249-8448> > > *E: * *michal.borowie...@openbet.com* > *W: * *www.openbet.com* <http://www.openbet.com/> > *OpenBet Ltd* > Chiswick Park Building 9 > 566 Chiswick High Rd > London > W4 5XT > UK > <https://www.openbet.com/email_promo> > This message is confidential and intended only for the addressee. If you > have received this message in error, please immediately notify the > *postmas...@openbet.com* and delete it from your > system as well as any copies. The content of e-mails as well as traffic > data may be monitored by OpenBet for employment and security purposes. To > protect the environment please do not print this e-mail unless necessary. > OpenBet Ltd. Registered Office: Chiswick Park Building 9, 566 Chiswick High > Road, London, W4 5XT, United Kingdom. A company registered in England and > Wales. Registered no. 3134634. VAT no. GB927523612 > > > >
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Hi Michal, Thanks a lot for your feedback. Your statement about Heartbeat is fair and makes sense. I'll update the KIP accordingly. --Vahid From: Michal Borowiecki To: users@kafka.apache.org, Vahid S Hashemian , d...@kafka.apache.org Date: 06/13/2017 01:35 AM Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi Vahid, +1 wrt OffsetFetch. The "Additional Food for Thought" mentions Heartbeat as a non-mutating action. I don't think that's true as the GroupCoordinator updates the latestHeartbeat field for the member and adds a new object to the heartbeatPurgatory, see completeAndScheduleNextHeartbeatExpiration() called from handleHeartbeat() NB added dev mailing list back into CC as it seems to have been lost along the way. Cheers, Michał On 12/06/17 18:47, Vahid S Hashemian wrote: Hi Colin, Thanks for the feedback. To be honest, I'm not sure either why Read was selected instead of Write for mutating APIs in the initial design (I asked Ewen on the corresponding JIRA and he seemed unsure too). Perhaps someone who was involved in the design can clarify. Thanks. --Vahid From: Colin McCabe To: users@kafka.apache.org Date: 06/12/2017 10:11 AM Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi Vahid, I think you make a valid point that the ACLs controlling group operations are not very intuitive. This is probably a dumb question, but why are we using Read for mutating APIs? Shouldn't that be Write? The distinction between Describe and Read makes a lot of sense for Topics. A group isn't really something that you "read" from in the same way as a topic, so it always felt kind of weird there. best, Colin On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: Hi all, I'm resending my earlier note hoping it would spark some conversation this time around :) Thanks. --Vahid From: "Vahid S Hashemian" To: dev , "Kafka User" Date: 05/30/2017 08:33 AM Subject:KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi, I started a new KIP to improve the minimum required ACL permissions of some of the APIs: https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch The KIP is to address KAFKA-4585. Feedback and suggestions are welcome! Thanks. --Vahid -- Michal Borowiecki Senior Software Engineer L4 T: +44 208 742 1600 +44 203 249 8448 E: michal.borowie...@openbet.com W: www.openbet.com OpenBet Ltd Chiswick Park Building 9 566 Chiswick High Rd London W4 5XT UK This message is confidential and intended only for the addressee. If you have received this message in error, please immediately notify the postmas...@openbet.com and delete it from your system as well as any copies. The content of e-mails as well as traffic data may be monitored by OpenBet for employment and security purposes. To protect the environment please do not print this e-mail unless necessary. OpenBet Ltd. Registered Office: Chiswick Park Building 9, 566 Chiswick High Road, London, W4 5XT, United Kingdom. A company registered in England and Wales. Registered no. 3134634. VAT no. GB927523612
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Hi Vahid, +1 wrt OffsetFetch. The "Additional Food for Thought" mentions Heartbeat as a non-mutating action. I don't think that's true as the GroupCoordinator updates the latestHeartbeat field for the member and adds a new object to the heartbeatPurgatory, see completeAndScheduleNextHeartbeatExpiration() called from handleHeartbeat() NB added dev mailing list back into CC as it seems to have been lost along the way. Cheers, Michał On 12/06/17 18:47, Vahid S Hashemian wrote: Hi Colin, Thanks for the feedback. To be honest, I'm not sure either why Read was selected instead of Write for mutating APIs in the initial design (I asked Ewen on the corresponding JIRA and he seemed unsure too). Perhaps someone who was involved in the design can clarify. Thanks. --Vahid From: Colin McCabe To: users@kafka.apache.org Date: 06/12/2017 10:11 AM Subject: Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi Vahid, I think you make a valid point that the ACLs controlling group operations are not very intuitive. This is probably a dumb question, but why are we using Read for mutating APIs? Shouldn't that be Write? The distinction between Describe and Read makes a lot of sense for Topics. A group isn't really something that you "read" from in the same way as a topic, so it always felt kind of weird there. best, Colin On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: Hi all, I'm resending my earlier note hoping it would spark some conversation this time around :) Thanks. --Vahid From: "Vahid S Hashemian" To: dev , "Kafka User" Date: 05/30/2017 08:33 AM Subject:KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi, I started a new KIP to improve the minimum required ACL permissions of some of the APIs: https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch The KIP is to address KAFKA-4585. Feedback and suggestions are welcome! Thanks. --Vahid -- Signature <http://www.openbet.com/> Michal Borowiecki Senior Software Engineer L4 T: +44 208 742 1600 +44 203 249 8448 E: michal.borowie...@openbet.com W: www.openbet.com <http://www.openbet.com/> OpenBet Ltd Chiswick Park Building 9 566 Chiswick High Rd London W4 5XT UK <https://www.openbet.com/email_promo> This message is confidential and intended only for the addressee. If you have received this message in error, please immediately notify the postmas...@openbet.com <mailto:postmas...@openbet.com> and delete it from your system as well as any copies. The content of e-mails as well as traffic data may be monitored by OpenBet for employment and security purposes. To protect the environment please do not print this e-mail unless necessary. OpenBet Ltd. Registered Office: Chiswick Park Building 9, 566 Chiswick High Road, London, W4 5XT, United Kingdom. A company registered in England and Wales. Registered no. 3134634. VAT no. GB927523612
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Hi Colin, Thanks for the feedback. To be honest, I'm not sure either why Read was selected instead of Write for mutating APIs in the initial design (I asked Ewen on the corresponding JIRA and he seemed unsure too). Perhaps someone who was involved in the design can clarify. Thanks. --Vahid From: Colin McCabe To: users@kafka.apache.org Date: 06/12/2017 10:11 AM Subject:Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi Vahid, I think you make a valid point that the ACLs controlling group operations are not very intuitive. This is probably a dumb question, but why are we using Read for mutating APIs? Shouldn't that be Write? The distinction between Describe and Read makes a lot of sense for Topics. A group isn't really something that you "read" from in the same way as a topic, so it always felt kind of weird there. best, Colin On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: > Hi all, > > I'm resending my earlier note hoping it would spark some conversation > this > time around :) > > Thanks. > --Vahid > > > > > From: "Vahid S Hashemian" > To: dev , "Kafka User" > Date: 05/30/2017 08:33 AM > Subject:KIP-163: Lower the Minimum Required ACL Permission of > OffsetFetch > > > > Hi, > > I started a new KIP to improve the minimum required ACL permissions of > some of the APIs: > https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch > > The KIP is to address KAFKA-4585. > > Feedback and suggestions are welcome! > > Thanks. > --Vahid > > > > >
Re: [DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Hi Vahid, I think you make a valid point that the ACLs controlling group operations are not very intuitive. This is probably a dumb question, but why are we using Read for mutating APIs? Shouldn't that be Write? The distinction between Describe and Read makes a lot of sense for Topics. A group isn't really something that you "read" from in the same way as a topic, so it always felt kind of weird there. best, Colin On Thu, Jun 8, 2017, at 11:29, Vahid S Hashemian wrote: > Hi all, > > I'm resending my earlier note hoping it would spark some conversation > this > time around :) > > Thanks. > --Vahid > > > > > From: "Vahid S Hashemian" > To: dev , "Kafka User" > Date: 05/30/2017 08:33 AM > Subject:KIP-163: Lower the Minimum Required ACL Permission of > OffsetFetch > > > > Hi, > > I started a new KIP to improve the minimum required ACL permissions of > some of the APIs: > https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch > > The KIP is to address KAFKA-4585. > > Feedback and suggestions are welcome! > > Thanks. > --Vahid > > > > >
[DISCUSS] KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch
Hi all, I'm resending my earlier note hoping it would spark some conversation this time around :) Thanks. --Vahid From: "Vahid S Hashemian" To: dev , "Kafka User" Date: 05/30/2017 08:33 AM Subject:KIP-163: Lower the Minimum Required ACL Permission of OffsetFetch Hi, I started a new KIP to improve the minimum required ACL permissions of some of the APIs: https://cwiki.apache.org/confluence/display/KAFKA/KIP-163%3A+Lower+the+Minimum+Required+ACL+Permission+of+OffsetFetch The KIP is to address KAFKA-4585. Feedback and suggestions are welcome! Thanks. --Vahid