kafka-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Colin McCabe" <cmcc...@apache.org>
Subject Re: [VOTE] KIP-430 - Return Authorized Operations in Describe Responses
Date Sat, 23 Feb 2019 01:02:55 GMT
Hi Rajini,

Thanks for the explanations.

On Fri, Feb 22, 2019, at 11:59, Rajini Sivaram wrote:
> Hi Colin,
> 
> Thanks for the review. Sorry I meant that an array of INT8's, each of which
> is an AclOperation code will be returned. I have clarified that in the KIP.

Do you think it's worth considering a bitfield here still?  An array will take up at least
4 bytes for the length, plus whatever length the elements are.  A 32-bit bitfield would pretty
much always take up less space.  And we can have a new version of the RPC with 64 bits or
whatever if we outgrow 32 operations.  MetadataResponse for a big cluster could contain quite
a lot of topics, tens or hundreds of thousands.  So the space savings could be considerable.

> 
> All permitted operations will be returned from the set of supported
> operations on each resource. This is regardless of whether the access was
> implicitly or explicitly granted. Have clarified that in the KIP.

Thanks.

> 
> Since the values returned are INT8 codes, clients can simply ignore any
> they don't recognize. Java clients convert these into AclOperation.UNKNOWN.
> That way we don't need to update Metadata/describe request versions when
> new operations are added to a resource. This is consistent with
> DescribeAcls behaviour. Have added this to the compatibility section of the
> KIP.

Displaying "unknown" for new AclOperations made sense for DescribeAcls, since the ACL is explicitly
referencing the new AclOperation.   For example, if you upgrade your Kafka cluster to a new
version that supports DESCRIBE_CONFIGS, your old ACLs still don't reference DESCRIBE_CONFIGS.

In contrast, in the case here, existing topics (or other resources) might pick up the new
ACLOperation just by upgrading Kafka.  For example, if you had ALL permission on a topic and
you upgrade to a new version with DESCRIBE_CONFIGS, you now have DESCRIBE_CONFIGS permission
on that topic.  This would result in a lot of "unknowns" being displayed here, which might
not be ideal.

Also, there is an argument from intent-- the intention here is to let you know what you can
do with a resource that already exists.  Knowing that you can do an unknown thing isn't very
useful.  In contrast, for DescribeAcls, knowing that an ACL references an operation your software
is too old to understand is useful (you may choose not to modify that ACL, since you don't
know what it does, for example.)  What do you think?

cheers,
Colin


> 
> Thank you,
> 
> Rajini
> 
> 
> 
> On Fri, Feb 22, 2019 at 6:46 PM Colin McCabe <cmccabe@apache.org> wrote:
> 
> > Hi Rajini,
> >
> > Thanks for the KIP!
> >
> > The KIP specifies that "Authorized operations will be returned as [an]
> > INT8 consistent with [the] AclOperation used in ACL requests and
> > responses."  But there may be more than one AclOperation that is applied to
> > a given resource.  For example, a principal may have both READ and WRITE
> > permission on a topic.
> >
> > One option for representing this would be a bitfield.  A 32-bit bitfield
> > could have the appropriate bits set.  For example, if READ and WRITE
> > operations were permitted, bits 3 and 4 could be set.
> >
> > Another thing to think about here is that certain AclOperations imply
> > certain others.  For example, having WRITE on a topic gives you DESCRIBE on
> > that topic as well automatically.  Does that mean that a topic with WRITE
> > on it should automatically get DESCRIBE set in the bitfield?  I would argue
> > that the answer is yes, for consistency's sake.
> >
> > We will inevitably add new AclOperations over time, and we have to think
> > about how to do this in a compatible way.  The simplest approach would be
> > to just leave out the new AclOperations when a describe request comes in
> > from an older version client.  This should be spelled out in the
> > compatibility section.
> >
> > best,
> > Colin
> >
> >
> > On Thu, Feb 21, 2019, at 02:28, Rajini Sivaram wrote:
> > > I would like to start vote on KIP-430 to optionally obtain authorized
> > > operations when describing resources:
> > >
> > >
> > https://cwiki.apache.org/confluence/display/KAFKA/KIP-430+-+Return+Authorized+Operations+in+Describe+Responses
> > >
> > > Thank you,
> > >
> > > Rajini
> > >
> >
>

Mime
View raw message