-
Enhancement
-
Resolution: Done
-
Critical
-
None
WHAT
Authorizer improvements described in the Epic.
HOW
Change the authorizer validations imposed by createAcls in the following way:
- Users with access to manage ACLs should not be restricted from creating ACLs with themselves as the named principal
- Improve the error message returned by the authorizer when owners attempt to create ACLs for themselves
In addition make change the #acls and #deleteAcl method so they are aware of the owner rules. This is done to give the user a complete pictures of the ACLs applied to their instance.
- Change #acls so that it additionally to the rules from Kafka's database, the list includes 'synthesized' AclBinding objects representing the owner rules from the static configuration..
- Make a complimentary change to #deleteAcl so that attempts to the AclBinding objects belonging to owners are prevented with a clear error message that conveys the special nature of owner rules.
- A new configuration item will be require so that plugin knows which principals are owners.
ACLs rules for system principals such as the canary should remain hidden.
There are no Sub-Tasks for this issue.