ACLs on public topics should be literal - edgecase #56
Assignees
Labels
enhancement
New feature or request
Comments
bluemonk3y
changed the title
|
my only concern with this idea is the cost of ACLs on broker performance. Once the topic growth has reached a certain point, then its difficult to change back to the current approach (i.e. remove granular ACLs and back to PREFIX only mode) - without operational overheads. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently ACLs on public topics are prefixed on resource
domainId + "._public". This isn't ideal, as it grants others access to topics that may not be in the spec.E.g. given the spec contains topic
<domain.id>._public.somethingand the cluster already contains, or someone adds later, topic<domain.id>._public.different, then anyone will be able to read that topic, even though its not managed by SpecMesh.This is kind of an edge case, but we have all the data to be able to create exact
literalACLs, so I think we should.Kind of related to #58. Maybe doing #58 is sufficient?
The text was updated successfully, but these errors were encountered: