ACL definition for decentralised topic management

[michael-sw-id]

In our decentralised set up we want to have:

• topics defined in owning service repo
• consumers and producers for a topic defined in owning service repo.
• topics created as part of owning service deployment
• ACLs created together with the topic

Unfortunately sine Strimzi couples ACLs with KafkaUser, this is not possible

With the kafka admin client ACLs are independent from the user (in fact user is just a string)

The motivation for using strimzi is the support our decentralised deployment set up.. but seems to be missing a fairly key capability

[scholzj]

I personally think that coupling the ACLs with the KafkaUser was a mistake and I would do it differently today. But to be clear, not everyone agrees with that. In any case, today, both the Topic and User Operators watch a single namespace - typically the same. So not sure this is a major issue as things are usually colocated.

I'm not sure what is service repo in your case. Whether it is some GitHub repo with GitOps setup or something else. Users often simply manage all users and topics in a single repo and use PRs to control and validate the ACL rights, in which case, these things do not matter that much.

In any case, I think you have a valid view (even if there might be other valid views as well 😉). But I'm afraid this will not change anytime soon.

[michael-sw-id]

yep, by service repo I mean github repo for the service that owns the topic.

The idea is that topics needed by a service are deployed together with corresponding service build in each environment. (as opposed to having central repo creating topics independently)

[michael-sw-id]

would KafkaUser with no ACLs defined, overwrite ACLs created by Admin Client?

[scholzj]

No. No ACLs would mean that there should not be any ACLs. I think you would need to disable the User Operator completely.