...
This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.
Status
Current state: "Under Discussion"
...
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Currently, kafka-acls.sh adds the ACL rule, and the --allow-host field only supports IP and * options. If a user wants to set up authentication for a batch of IPs, multiple ACL rules need to be added. These IPs are usually in a network segment. I want to allow the network segment to be set in the host field of the ACL to authenticate. Any IP that allows a segment of the network will allow/deny access to the topic.
Public Interfaces
The public interface changes are mainly divided into two parts: command-line tools and server-side interfaces. The KIP interface changes are mainly on the command line. The bin/kafka-acls.sh:
...
Option | Description(old) | Description(new) |
---|---|---|
--allow-host <String: allow-host> | Host from which principals listed in -- allow-principal will have access. If you have specified --allow-principal then the default for this option will be set to * which allows access from all hosts. | Host from which principals listed in --allow-principal will have access. Host supports both IP and network segment formats. Eg: 192.0.0.1 or 192.0.0.1/20. If you have specified --allow-principal then the default for this option will be set to * which allows access from all hosts. |
Proposed Changes
Command line code changes
None
Server code changes
In the matchingACLExists method of AclAuthorizer, the determination of host is modified to support network segments。
Code Block | ||
---|---|---|
| ||
private def matchingAclExists(operation: AclOperation, resource: ResourcePattern, principal: KafkaPrincipal, host: String, permissionType: AclPermissionType, acls: AclSeqs): Boolean = { ...... (acl.host == host || acl.host == AclEntry.WildcardHost) ...... } |
Compatibility, Deprecation, and Migration Plan
None
Rejected Alternatives
...