Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The API could be changed such that CreateTopicPolicy (and also AlterConfigPolicy) could have the principal passed as part of the validation request. This could possibly work but is much more limited and I think using the built in ACL mechanism that already exists seems like a better solution as this is really a permission issue that is trying to be solved. While passing the principal to the policy could be used instead it is not great as gives the policy the ability to know who is making the request, only the ACL authorizer has all the information loaded to make permissions decisions and that still wouldn't be available to the create topic policy. Without the ACL authorizer the best you could do would be just check if a super user which is better but still doesn't solve the whole problem if you want to grant non super users the ability to create topics explicitly for certain topic prefixes.