This feature request would introduce the possibility of gradual rollout of OPA in an enterprise environment which has multiple independent teams using one central production Kafka cluster.
As an example, in our organization, we use ACLs for topic access. What would be great for us so that the move from topic ACLs to using OPA policy does not mean moving hundreds and hundreds of topics en masse to OPA, which would be next to impossible, is that OPA consults the ACL authorizer kafka.security.authorizer.AclAuthorizer and if no ACL exists, it then forwards the request to OPA for authorization.
That would allow us to remove ACLs from a small group of topics and add them to OPA in little chunks, on a team by team, and code base by code base fashion.
Some background is available in this slack thread: https://openpolicyagent.slack.com/archives/CBR63TK2A/p1664790781658039
This feature request would introduce the possibility of gradual rollout of OPA in an enterprise environment which has multiple independent teams using one central production Kafka cluster.
As an example, in our organization, we use ACLs for topic access. What would be great for us so that the move from topic ACLs to using OPA policy does not mean moving hundreds and hundreds of topics en masse to OPA, which would be next to impossible, is that OPA consults the ACL authorizer
kafka.security.authorizer.AclAuthorizerand if no ACL exists, it then forwards the request to OPA for authorization.That would allow us to remove ACLs from a small group of topics and add them to OPA in little chunks, on a team by team, and code base by code base fashion.
Some background is available in this slack thread: https://openpolicyagent.slack.com/archives/CBR63TK2A/p1664790781658039