jihoonson commented on pull request #10535: URL: https://github.com/apache/druid/pull/10535#issuecomment-773690442
Hi @nishantmonu51, I have been thinking about this PR whether it should be a part of the 0.21.0 release. My major concern is that the new security config only works for the HTTP inputSource, which means users can still use the HTTP firehose to bypass the security config. This can make a wrong impression for system administrators that they can secure their Druid cluster with the new config, which is not true. To avoid this problem, I think we have two options, either making both the HTTP inputSource and firehose to support the security config in the 0.21.0 release or not including them at all in the release. I would say the first option seems not eligible as it requires to add a new feature after code freeze which can potentially delay the release. So, I'd like to suggest reverting this PR. Since the problem described above will be fixed in https://github.com/apache/druid/pull/10677, we won't even have to deprecate the configs added in this PR if we go down this way. What do you think? ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
