DUE TO SPAM, SIGN-UP IS DISABLED. Goto Selfserve wiki signup and request an account.
Status
Current state: Accepted
Discussion thread: skipped – [VOTE]
JIRA: KAFKA-19803 - Getting issue details... STATUS
Released: 4.2.0
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Kafka Streams tries to protect data written into the local state directory, by setting write permission only for the user/owner of the application (cf KAFKA-10705 - Getting issue details... STATUS ). However, Unix/Linux operation systems also support user-groups, and for some setups, it would be beneficial to allow write access to a group. To stay as restrictive as possible in general, relaxing the state directory restrictions should be opt-in, and thus we propose to add a config allowing users to relax the permission, but stay permissive by default.
Public Interfaces
We propose to add a new config, allow.os.group.write.access with a default value of "false". A corresponding entry will be added to StreamsConfig.java:
public class StreamsConfig {
// newly added
public static final String ALLOW_OS_GROUP_WRITE_ACCESS_CONFIG = "allow.os.group.write.access";
}
The config priority of the new config will be LOW .
Proposed Changes
On startup, when Kafka Streams verifies the permission for the state directory, it will revoke group write access by default, but if allow.os.group.write.access is set to "true", it will grant group write access.
Compatibility, Deprecation, and Migration Plan
We are adding a new config, and do not change the default behavior, so there is no backward compatibility concerns. Of course, if user enable this new feature and downgrade to an older version of Kafka Streams, the granted write access would get revoked again.
Test Plan
Unit testing should be sufficient.
Documentation Plan
The new config will be added to the docs.
Rejected Alternatives
n/a