Re: [VOTE] KIP-11- Authorization design for kafka security

Mon, 27 Apr 2015 09:19:19 -0700 

Hi Sun, thanks for the comments, my answers are below:

* I think the wiki already describes the precedence order as Deny taking
precedence over allow when conflicting acls are found
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+In
terface#KIP-11-AuthorizationInterface-PermissionType
* In the first version that I am currently writing there is no group
support. Even when we add it I don’t see the need to add a precedence for
evaluation. it does not matter which principal matches as long as we have
a match. 
* Acl storage is indexed by resource right now because that is the primary
lookup id for all authorize operations. Given acls are cached I don’t see
the need to optimized the storage layer any further for lookup.
* The reason why we have acl with multi everything is to reduce redundancy
in acl storage. I am not sure how will we be able to reduce redundancy if
we divide it by using one principal,one host, one operation.

Thanks
Parth

On 4/26/15, 8:06 PM, "Sun, Dapeng" <dapeng....@intel.com> wrote:

>Hi Parth
>
>The design looks good, a few minor comments below. Since I just started
>looking into the discussion and many previous discussions I may missed,
>I'm sorry if these comments had be discussed.
>
>1. About SimpleAclAuthorizer (SimpleAuthorizer):
>a. As my understanding, I think there should only one type
>privilege(allow/deny) of a topic on a principle, or we make it deny >
>allow.
>For example, acl_1 " host1 -> group1-> user1 -> read->allow" and acl_2 "
>host1-> group1 -> user1 ->read->deny", if the two acls are for a same
>topic, it may be hard to understand, do you think it's necessary to add
>some details about this to wiki.
>b. And when we do authorize a user on a topic, we may should check user's
>user level acl first, then check user's group level acl, finally we check
>the host level and default level acl. do you think it's necessary we add
>some contents like these to wiki.
>For example, "host1 -> group1-> user1"  >  "host1 -> group1"  >  "host1"
>
>2.About SimpleAclAuthorizer (Acl Json will be stored in zookeeper)
>a. It may be better to make acl json stored hierarchily. It may be easy
>to search and do authorize. For example, when we authorize a user, we
>only need user related acls.
>b. I found one acl may contains multi-principles, multi-operations and
>multi-hosts, I'm strongly agreed with we provide api like these, but the
>acls stored in zookeeper or memory we may better to separate to
>one-principle, one-operation and one host. So we could make sure there
>are not many acls with same meaning and make acl management easily.
>
>
>Regards
>Dapeng
>
>-----Original Message-----
>From: Jun Rao [mailto:j...@confluent.io]
>Sent: Monday, April 27, 2015 5:02 AM
>To: dev@kafka.apache.org
>Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
>
>A few more minor comments.
>
>100. To make it clear, perhaps we should rename the resource "group" to
>consumer-group. We can probably make the same change in CLI as well so
>that it's not confused with user group.
>
>101. Currently, create is only at the cluster level. Should it also be at
>topic level? For example, perhaps it's useful to allow only user X to
>create topic X.
>
>Thanks,
>
>Jun
>
>
>On Sun, Apr 26, 2015 at 12:36 AM, Gwen Shapira <gshap...@cloudera.com>
>wrote:
>
>> Thanks for clarifying, Parth. I think you are taking the right
>> approach here.
>>
>> On Fri, Apr 24, 2015 at 11:46 AM, Parth Brahmbhatt
>> <pbrahmbh...@hortonworks.com> wrote:
>> > Sorry Gwen, completely misunderstood the question :-).
>> >
>> > * Does everyone have the privilege to create a new Group and use it
>> > to consume from Topics he's already privileged on?
>> >         Yes in current proposal. I did not see an API to create
>> > group
>> but if you
>> > have a READ permission on a TOPIC and WRITE permission on that Group
>> > you are free to join and consume.
>> >
>> >
>> > * Will the CLI tool be used to manage group membership too?
>> >         Yes and I think that means I need to add ―group. Updating
>> > the
>> KIP. Thanks
>> > for pointing this out.
>> >
>> > * Groups are kind of ephemeral, right? If all consumers in the group
>> > disconnect the group is gone, AFAIK. Do we preserve the ACLs? Or do
>> > we treat the new group as completely new resource? Can we create
>> > ACLs before the group exists, in anticipation of it getting created?
>> >         I have considered any auto delete and auto create as out of
>> scope for the
>> > first release. So Right now I was going with preserving the acls. Do
>> > you see any issues with this? Auto deleting would mean authorizer
>> > will now have to get into implementation details of kafka which I
>> > was trying to avoid.
>> >
>> > Thanks
>> > Parth
>> >
>> > On 4/24/15, 11:33 AM, "Gwen Shapira" <gshap...@cloudera.com> wrote:
>> >
>> >>We are not talking about same Groups :)
>> >>
>> >>I meant, Groups of consumers (which KIP-11 lists as a separate
>> >>resource in the Privilege table)
>> >>
>> >>On Fri, Apr 24, 2015 at 11:31 AM, Parth Brahmbhatt
>> >><pbrahmbh...@hortonworks.com> wrote:
>> >>> I see Groups as something we can add incrementally in the current
>> model.
>> >>> The acls take principalType: name so groups can be represented as
>> group:
>> >>> groupName. We are not managing group memberships anywhere in kafka
>> >>> and
>> I
>> >>> don’t see the need to do so.
>> >>>
>> >>> So for a topic1 using the CLI an admin can add an acl to grant
>> >>> access
>> to
>> >>> group:kafka-test-users.
>> >>>
>> >>> The authorizer implementation can have a plugin to map
>> >>>authenticated user  to groups ( This is how hadoop and storm
>> >>>works). The plugin could be  mapping user to linux/ldap/active
>> >>>directory groups but that is again upto  the implementation.
>> >>>
>> >>> What we are offering is an interface that is extensible so these
>> >>>features  can be added incrementally. I can add support for this in
>> >>>the first  release but don’t necessarily see why this would be
>> >>>absolute necessity.
>> >>>
>> >>> Thanks
>> >>> Parth
>> >>>
>> >>> On 4/24/15, 11:00 AM, "Gwen Shapira" <gshap...@cloudera.com> wrote:
>> >>>
>> >>>>Thanks.
>> >>>>
>> >>>>One more thing I'm missing in the KIP is details on the Group
>> >>>>resource (I think we discussed this and it was just not fully
>>updated):
>> >>>>
>> >>>>* Does everyone have the privilege to create a new Group and use
>> >>>>it to consume from Topics he's already privileged on?
>> >>>>* Will the CLI tool be used to manage group membership too?
>> >>>>* Groups are kind of ephemeral, right? If all consumers in the
>> >>>>group disconnect the group is gone, AFAIK. Do we preserve the
>> >>>>ACLs? Or do we treat the new group as completely new resource? Can
>> >>>>we create ACLs before the group exists, in anticipation of it
>>getting created?
>> >>>>
>> >>>>Its all small details, but it will be difficult to implement
>> >>>>KIP-11 without knowing the answers :)
>> >>>>
>> >>>>Gwen
>> >>>>
>> >>>>
>> >>>>On Fri, Apr 24, 2015 at 9:58 AM, Parth Brahmbhatt
>> >>>><pbrahmbh...@hortonworks.com> wrote:
>> >>>>> You are right, moved it to the default implementation section.
>> >>>>>
>> >>>>> Thanks
>> >>>>> Parth
>> >>>>>
>> >>>>> On 4/24/15, 9:52 AM, "Gwen Shapira" <gshap...@cloudera.com> wrote:
>> >>>>>
>> >>>>>>Sample ACL JSON and Zookeeper is in public API, but I thought it
>> >>>>>>is part of DefaultAuthorizer (Since Sentry and Argus won't be
>> >>>>>>using Zookeeper).
>> >>>>>>Am I wrong? Or is it the KIP?
>> >>>>>>
>> >>>>>>On Fri, Apr 24, 2015 at 9:49 AM, Parth Brahmbhatt
>> >>>>>><pbrahmbh...@hortonworks.com> wrote:
>> >>>>>>> Thanks for clarifying Gwen, KIP updated.
>> >>>>>>>
>> >>>>>>> I tried to make the distinction by creating a section for all
>> public
>> >>>>>>>APIs
>> >>>>>>>
>> >>>>>>>
>> https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizat
>> >>>>>>>io
>> >>>>>>>n+
>> >>>>>>>In
>> >>>>>>> 
>> >>>>>>>terface#KIP-11-AuthorizationInterface-PublicInterfacesandclasse
>> >>>>>>>s
>> >>>>>>>
>> >>>>>>> Let me know if you think there is a better way to reflect this.
>> >>>>>>>
>> >>>>>>> Thanks
>> >>>>>>> Parth
>> >>>>>>>
>> >>>>>>> On 4/24/15, 9:37 AM, "Gwen Shapira" <gshap...@cloudera.com>
>>wrote:
>> >>>>>>>
>> >>>>>>>>+1 (non-binding)
>> >>>>>>>>
>> >>>>>>>>Two nitpicks for the wiki:
>> >>>>>>>>* Heartbeat is probably a READ and not CLUSTER operation. I'm
>> pretty
>> >>>>>>>>sure new consumers need it to be part of a consumer group.
>> >>>>>>>>* Can you clearly separate which parts are the API (common to
>> >>>>>>>>every
>> >>>>>>>>Authorizer) and which parts are DefaultAuthorizer
>>implementation?
>> It
>> >>>>>>>>will make reviews and Authorizer implementations a bit easier
>> >>>>>>>>to know exactly which is which.
>> >>>>>>>>
>> >>>>>>>>Gwen
>> >>>>>>>>
>> >>>>>>>>On Fri, Apr 24, 2015 at 9:28 AM, Parth Brahmbhatt
>> >>>>>>>><pbrahmbh...@hortonworks.com> wrote:
>> >>>>>>>>> Hi,
>> >>>>>>>>>
>> >>>>>>>>> I would like to open KIP-11 for voting.
>> >>>>>>>>>
>> >>>>>>>>> Thanks
>> >>>>>>>>> Parth
>> >>>>>>>>>
>> >>>>>>>>> On 4/22/15, 1:56 PM, "Parth Brahmbhatt"
>> >>>>>>>>><pbrahmbh...@hortonworks.com>
>> >>>>>>>>> wrote:
>> >>>>>>>>>
>> >>>>>>>>>>Hi Jeff,
>> >>>>>>>>>>
>> >>>>>>>>>>Thanks a lot for the review. I think you have a valid point
>> >>>>>>>>>>about acls being duplicated and the simplest solution would
>> >>>>>>>>>>be to modify
>> acls
>> >>>>>>>>>>class
>> >>>>>>>>>>so they hold a set of principals instead of single
>> >>>>>>>>>>principal. i.e
>> >>>>>>>>>>
>> >>>>>>>>>><user_a,user_b> has <READ,WRITE,DESCRIBE> Permissions on
>> >>>>>>>>>><Topic1> from <Host1, Host2, Host3>.
>> >>>>>>>>>>
>> >>>>>>>>>>I think the evaluation order only matters for the
>> >>>>>>>>>>permissionType which is Deny acls should be evaluated before
>> >>>>>>>>>>allow acls. To give you an example suppose we have following
>> >>>>>>>>>>acls
>> >>>>>>>>>>
>> >>>>>>>>>>acl1 -> user1 is allowed to READ from all hosts.
>> >>>>>>>>>>acl2 -> host1 is allowed to READ regardless of who is the
>>user.
>> >>>>>>>>>>acl3 -> host2 is allowed to READ regardless of who is the
>>user.
>> >>>>>>>>>>
>> >>>>>>>>>>acl4 -> user1 is denied to READ from host1.
>> >>>>>>>>>>
>> >>>>>>>>>>As stated in the KIP we first evaluate DENY so if user1
>> >>>>>>>>>>tries to access from host1 he will be denied(acl4), even
>> >>>>>>>>>>though both user1 and
>> >>>>>>>>>>host1
>> >>>>>>>>>>has
>> >>>>>>>>>>acl’s for allow with wildcards (acl1, acl2).
>> >>>>>>>>>>If user1 tried to READ from host2 , the action will be
>> >>>>>>>>>>allowed
>> and
>> >>>>>>>>>>it
>> >>>>>>>>>>does
>> >>>>>>>>>>not matter if we match acl3 or acl1 so I don’t think the
>> >>>>>>>>>>evaluation order matters here.
>> >>>>>>>>>>
>> >>>>>>>>>>“Will people actually use hosts with users?” I really don’t
>> >>>>>>>>>>know but given ACl’s are part of our Public APIs I thought
>> >>>>>>>>>>it is better to try and cover more use cases. If others
>> >>>>>>>>>>think this extra complexity is not
>> worth
>> >>>>>>>>>>the
>> >>>>>>>>>>value its adding please raise your concerns so we can
>> >>>>>>>>>>discuss if it should be removed from the acl structure. Note
>> >>>>>>>>>>that even in absence of hosts from ACL users will still be
>> >>>>>>>>>>able to whitelist/blacklist host as long as we start
>> >>>>>>>>>>supporting principalType = “host”, easy to add and can be
>> an
>> >>>>>>>>>>incremental improvement. They will however loose the ability
>> >>>>>>>>>>to restrict access to users just from a set of hosts.
>> >>>>>>>>>>
>> >>>>>>>>>>We agreed to offer a CLI to overcome the JSON acl config
>> >>>>>>>>>>
>> https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authori
>> >>>>>>>>>>za
>> >>>>>>>>>>ti
>> >>>>>>>>>>on
>> >>>>>>>>>>+I
>> >>>>>>>>>>n
>> >>>>>>>>>>terface#KIP-11-AuthorizationInterface-AclManagement(CLI). I
>> >>>>>>>>>>still like Jsons but that probably has something to do with
>> >>>>>>>>>>me being a developer :-).
>> >>>>>>>>>>
>> >>>>>>>>>>Thanks
>> >>>>>>>>>>Parth
>> >>>>>>>>>>
>> >>>>>>>>>>On 4/22/15, 11:38 AM, "Jeff Holoman" <jholo...@cloudera.com>
>> >>>>>>>>>>wrote:
>> >>>>>>>>>>
>> >>>>>>>>>>>Parth,
>> >>>>>>>>>>>
>> >>>>>>>>>>>This is a long thread, so trying to keep up here, sorry if
>> >>>>>>>>>>>this has been covered before. First, great job on the KIP
>> >>>>>>>>>>>proposal and work so far.
>> >>>>>>>>>>>
>> >>>>>>>>>>>Are we sure that we want to tie host level access to a
>> >>>>>>>>>>>given user?
>> >>>>>>>>>>>My
>> >>>>>>>>>>>understanding is that the ACL will be (omitting some
>> >>>>>>>>>>>fields)
>> >>>>>>>>>>>
>> >>>>>>>>>>>user_a, host1, host2, host3 user_b, host1, host2, host3
>> >>>>>>>>>>>
>> >>>>>>>>>>>So there would potentially be a lot of redundancy in the
>> configs.
>> >>>>>>>>>>>Does
>> >>>>>>>>>>>it
>> >>>>>>>>>>>make sense to have hosts be at the same level as principal
>> >>>>>>>>>>>in
>> the
>> >>>>>>>>>>>hierarchy? This way you could just blanket the allowed /
>> >>>>>>>>>>>denied hosts and only have to worry about the users. So if
>> >>>>>>>>>>>you follow this, then
>> >>>>>>>>>>>
>> >>>>>>>>>>>we can wildcard the user so we can have a separate list of
>> >>>>>>>>>>>just host-based access. What's the order that the perms
>> >>>>>>>>>>>would be evaluated if a there was more than one match on a
>> >>>>>>>>>>>principal ?
>> >>>>>>>>>>>
>> >>>>>>>>>>>Is the thought that there wouldn't usually be much overlap
>> >>>>>>>>>>>on hosts?
>> >>>>>>>>>>>I
>> >>>>>>>>>>>guess I can imagine a scenario where I want to
>> >>>>>>>>>>>offline/online access to a particular hosts or set of hosts
>> >>>>>>>>>>>and if there was overlap, I'm doing a bunch of alter
>> >>>>>>>>>>>commands for just a single host. Maybe this is
>> too
>> >>>>>>>>>>>contrived
>> >>>>>>>>>>>an example?
>> >>>>>>>>>>>
>> >>>>>>>>>>>I agree that having this level of granularity gives
>> >>>>>>>>>>>flexibility but I wonder if people will actually use it and
>> >>>>>>>>>>>not just * the hosts for a given user and create separate
>> >>>>>>>>>>>"global" list as i mentioned above?
>> >>>>>>>>>>>
>> >>>>>>>>>>>The only other system I know of that ties users with hosts
>> >>>>>>>>>>>for access is MySql and I don't love that model. Companies
>> >>>>>>>>>>>usually standardize on group authorization anyway, are we
>> >>>>>>>>>>>complicating that issue with the inclusion of hosts
>> >>>>>>>>>>>attached to users? Additionally I worry about the debt of
>> >>>>>>>>>>>big JSON configs in the first place, most non-developers
>> >>>>>>>>>>>find them non-intuitive already, so anything to ease this I
>> >>>>>>>>>>>think would be beneficial.
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>Thanks
>> >>>>>>>>>>>
>> >>>>>>>>>>>Jeff
>> >>>>>>>>>>>
>> >>>>>>>>>>>On Wed, Apr 22, 2015 at 2:22 PM, Parth Brahmbhatt <
>> >>>>>>>>>>>pbrahmbh...@hortonworks.com> wrote:
>> >>>>>>>>>>>
>> >>>>>>>>>>>> Sorry I missed your last questions. I am +0 on adding
>> >>>>>>>>>>>>―host option for  ―list, we could add it for symmetry.
>> >>>>>>>>>>>>Again if this is only a CLI change it  can be added later
>> >>>>>>>>>>>>if you mean adding this in authorizer interface then we
>> >>>>>>>>>>>>should make a decision now.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Given a choice I would like to actually keep only one
>> >>>>>>>>>>>>option which is  resource based get (remove even the get
>> >>>>>>>>>>>>based on principal). I see those  (getAcl for principal or
>> >>>>>>>>>>>>host) as special filtering case which can easily  be
>> >>>>>>>>>>>>achieved by a third party tool by doing "list all topics"
>> >>>>>>>>>>>>and
>> >>>>>>>>>>>>calling
>> >>>>>>>>>>>> getAcls for each topic and applying filtering logic on
>>that.
>> I
>> >>>>>>>>>>>>really
>> >>>>>>>>>>>> don’t see the need to make those first class citizens of
>> >>>>>>>>>>>>the authorizer  interface given these kind of queries will
>> >>>>>>>>>>>>be issued outside
>> of
>> >>>>>>>>>>>>broker
>> >>>>>>>>>>>>JVM
>> >>>>>>>>>>>> so they will not benefit from the caching and because the
>> >>>>>>>>>>>>storage will be  indexed on resource both these options
>> >>>>>>>>>>>>even as a first class API will just  scan all topic acls
>> >>>>>>>>>>>>and apply filtering logic.
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> Thanks
>> >>>>>>>>>>>> Parth
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> On 4/22/15, 11:08 AM, "Parth Brahmbhatt"
>> >>>>>>>>>>>><pbrahmbh...@hortonworks.com>
>> >>>>>>>>>>>> wrote:
>> >>>>>>>>>>>>
>> >>>>>>>>>>>> >Please see all the available options here
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Autho
>> >>>>>>>>>>>>ri
>> >>>>>>>>>>>>za
>> >>>>>>>>>>>>ti
>> >>>>>>>>>>>>on
>> >>>>>>>>>>>>+
>> >>>>>>>>>>>>I
>> >>>>>>>>>>>> >nterface#KIP-11-AuthorizationInterface-AclManagement(CLI
>> >>>>>>>>>>>> >) . I
>> >>>>>>>>>>>>think
>> >>>>>>>>>>>>it
>> >>>>>>>>>>>> >covers both hosts and operations and allows to specify a
>> >>>>>>>>>>>> >list
>> >>>>>>>>>>>>for
>> >>>>>>>>>>>>both.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >Thanks
>> >>>>>>>>>>>> >Parth
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >From: Tom Graves
>> >>>>>>>>>>>><tgraves...@yahoo.com<mailto:tgraves...@yahoo.com>>
>> >>>>>>>>>>>> >Reply-To: Tom Graves
>> >>>>>>>>>>>><tgraves...@yahoo.com<mailto:tgraves...@yahoo.com>>
>> >>>>>>>>>>>> >Date: Wednesday, April 22, 2015 at 11:02 AM
>> >>>>>>>>>>>> >To: Parth Brahmbhatt
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>><pbrahmbh...@hortonworks.com<mailto:
>> pbrahmbh...@hortonworks.com
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>>,
>> >>>>>>>>>>>> >"dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>> >>>>>>>>>>>> ><dev@kafka.apache.org<mailto:dev@kafka.apache.org>>
>> >>>>>>>>>>>> >Subject: Re: [DISCUSS] KIP-11- Authorization design for
>> >>>>>>>>>>>> >kafka
>> >>>>>>>>>>>>security
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >Thanks for the explanations Parth.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >On the configs questions, the way I see it is its more
>> >>>>>>>>>>>> >likely
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>> >accidentally give everyone access, especially since you
>> >>>>>>>>>>>> >have
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>>run
>> >>>>>>>>>>>>a
>> >>>>>>>>>>>> >separate command to change the acls. If there was some
>> >>>>>>>>>>>> >config
>> >>>>>>>>>>>>for
>> >>>>>>>>>>>> >defaults, a cluster admin could change that to be nobody
>> >>>>>>>>>>>> >or
>> >>>>>>>>>>>>certain
>> >>>>>>>>>>>>set
>> >>>>>>>>>>>> >of users, then grant others permissions.  This would
>> >>>>>>>>>>>> >also
>> >>>>>>>>>>>>remove
>> >>>>>>>>>>>>the
>> >>>>>>>>>>>>race
>> >>>>>>>>>>>> >between commands.  This is something you can always add
>> >>>>>>>>>>>> >later
>> >>>>>>>>>>>>though
>> >>>>>>>>>>>>if
>> >>>>>>>>>>>> >people request it.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >So in kafka-acl.sh how do I actually tell it what the
>> >>>>>>>>>>>>operation
>> >>>>>>>>>>>>is?
>> >>>>>>>>>>>> >kafka-acl.sh --topic testtopic --add --grandprincipal
>> >>>>>>>>>>>>user:joe,user:kate
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >where does READ, WRITE, etc go?  Can specify as a list
>> >>>>>>>>>>>> >so I
>> >>>>>>>>>>>>don't
>> >>>>>>>>>>>>have
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>> >run this a bunch of times for each.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >Do you want to have a --host option for --list so that
>> >>>>>>>>>>>> >admins
>> >>>>>>>>>>>>could
>> >>>>>>>>>>>>see
>> >>>>>>>>>>>> >what acls apply to specific host(s)?
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >Tom
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >On Wednesday, April 22, 2015 11:38 AM, Parth Brahmbhatt
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>><pbrahmbh...@hortonworks.com<mailto:
>> pbrahmbh...@hortonworks.com
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>wrote:
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >FYI, I have modified the KIP to include group as
>> >>>>>>>>>>>> >resource. In
>> >>>>>>>>>>>>order
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>> >access “joinGroup” and “commitOFfset” APIs the user will
>> >>>>>>>>>>>> >need
>> >>>>>>>>>>>>a
>> >>>>>>>>>>>>read
>> >>>>>>>>>>>> >permission on topic and WRITE permission on group.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >I plan to open a VOTE thread by noon if there are no
>> >>>>>>>>>>>> >more
>> >>>>>>>>>>>>concerns.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >Thanks
>> >>>>>>>>>>>> >Parth
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >On 4/22/15, 9:03 AM, "Tom Graves"
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>><tgraves...@yahoo.com.INVALID<mailto:
>> tgraves...@yahoo.com.INVAL
>> >>>>>>>>>>>>>ID
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>> wrote:
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>Hey everyone,
>> >>>>>>>>>>>> >>Sorry to jump in on the conversation so late. I'm new
>> >>>>>>>>>>>> >>to
>> >>>>>>>>>>>>Kafka.
>> >>>>>>>>>>>>I'll
>> >>>>>>>>>>>> >>apologize in advance if you have already covered some
>> >>>>>>>>>>>> >>of my
>> >>>>>>>>>>>>questions.  I
>> >>>>>>>>>>>> >>read through the wiki and had some comments and
>>questions.
>> >>>>>>>>>>>> >>1) public enum Operation needs EDIT changed to ALTER
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>    Done.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>2) Does the Authorizer class need a setAcls?  Rather
>> >>>>>>>>>>>> >>then
>> >>>>>>>>>>>>just
>> >>>>>>>>>>>>add
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>>be
>> >>>>>>>>>>>> >>able to set to explicit list and overwrite what was
>>there?
>> I
>> >>>>>>>>>>>>see
>> >>>>>>>>>>>>the
>> >>>>>>>>>>>> >>kafka-acl.sh lists a removeall so I guess you could do
>> >>>>>>>>>>>>removeall
>> >>>>>>>>>>>>and
>> >>>>>>>>>>>>then
>> >>>>>>>>>>>> >>add.  I also don't see a removeall in the Authorizer
>> >>>>>>>>>>>> >>class,
>> >>>>>>>>>>>>is
>> >>>>>>>>>>>>it
>> >>>>>>>>>>>>going
>> >>>>>>>>>>>> >>to loop through them all to remove each one?
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >    There is an overloaded version of removeAcls in the
>> >>>>>>>>>>>>interface
>> >>>>>>>>>>>>that
>> >>>>>>>>>>>> >takes
>> >>>>>>>>>>>> >in resource as the only input and as described in the
>> >>>>>>>>>>>> >javadoc
>> >>>>>>>>>>>>all
>> >>>>>>>>>>>>the
>> >>>>>>>>>>>>acls
>> >>>>>>>>>>>> >attached to that resource will be deleted. To cover the
>> setAcl
>> >>>>>>>>>>>>use
>> >>>>>>>>>>>>case
>> >>>>>>>>>>>> >the caller can first call remove and then add.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>3) Can someone tell me what the use case to do acls
>> >>>>>>>>>>>> >>based on
>> >>>>>>>>>>>>the
>> >>>>>>>>>>>>hosts?
>> >>>>>>>>>>>> >>I can see some possibilities just wondering if we can
>> >>>>>>>>>>>>concrete
>> >>>>>>>>>>>>ones
>> >>>>>>>>>>>>where
>> >>>>>>>>>>>> >>one user is allowed from one host but not another.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >    I am not sure if I understand the question given the
>> >>>>>>>>>>>> > use
>> >>>>>>>>>>>>case
>> >>>>>>>>>>>>you
>> >>>>>>>>>>>> >described in your question is what we are trying to
>> >>>>>>>>>>>> >cover
>> with
>> >>>>>>>>>>>>use
>> >>>>>>>>>>>>of
>> >>>>>>>>>>>> >hosts in Acl. There are some additional use cases like
>> >>>>>>>>>>>> >“allow
>> >>>>>>>>>>>>access
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>> >any user from host1,host2” but I think primarily it
>> >>>>>>>>>>>> >gives the
>> >>>>>>>>>>>>admins
>> >>>>>>>>>>>>the
>> >>>>>>>>>>>> >ability to define acls at a more granular level.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>4) I'm a bit unclear how the "resource" works in the
>> >>>>>>>>>>>>Authorizer
>> >>>>>>>>>>>>class.
>> >>>>>>>>>>>> >>From what I see we have 2 resources - topics and cluster.
>> >>>>>>>>>>>>If I
>> >>>>>>>>>>>>want
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>> >>add an acl to allow "joe" to CREATE for the cluster
>> >>>>>>>>>>>> >>then I
>> >>>>>>>>>>>>call
>> >>>>>>>>>>>>addAcls
>> >>>>>>>>>>>> >>with  Acl("user: joe", ALLOW, Set(*), Set(CREATE)) and
>> >>>>>>>>>>>>"cluster"?
>> >>>>>>>>>>>>What
>> >>>>>>>>>>>> >>if I want to call addAcls for DESCRIBE on a topic?  Is
>> >>>>>>>>>>>> >>the
>> >>>>>>>>>>>>resource
>> >>>>>>>>>>>>then
>> >>>>>>>>>>>> >>"topic" or is it the topic name?
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >    We now have 3 resources(added group), please see the
>> >>>>>>>>>>>>updated
>> >>>>>>>>>>>>doc.
>> >>>>>>>>>>>>The
>> >>>>>>>>>>>> >CREATE acl that you described is correct. For any topic
>> >>>>>>>>>>>>operation
>> >>>>>>>>>>>>you
>> >>>>>>>>>>>> >should use topic name as the resource name and for group
>> >>>>>>>>>>>> >the
>> >>>>>>>>>>>>user
>> >>>>>>>>>>>>will
>> >>>>>>>>>>>> >provide groupId as resource name.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>5) reassigning partitions is a CLUSTER_ACTION or
>>superuser?
>> >>>>>>>>>>>>Its
>> >>>>>>>>>>>>not
>> >>>>>>>>>>>> >>totally clear to me the differences between these.
>> >>>>>>>>>>>> >>what
>> >>>>>>>>>>>>about
>> >>>>>>>>>>>>increasing
>> >>>>>>>>>>>> >># of partitions?
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >    I see this as an alter topic operation so it is at
>> >>>>>>>>>>>> > topic
>> >>>>>>>>>>>>level
>> >>>>>>>>>>>>and
>> >>>>>>>>>>>>the
>> >>>>>>>>>>>> >user must have alter permissions on topic.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>6) groups are mentioned, are we supporting right away
>> >>>>>>>>>>>> >>or is
>> >>>>>>>>>>>>that
>> >>>>>>>>>>>>a
>> >>>>>>>>>>>>follow
>> >>>>>>>>>>>> >>on item? (is there going to be a kafka.supergroups)
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >    I think it can be a separate jira just for braking
>> >>>>>>>>>>>> > down
>> >>>>>>>>>>>>the
>> >>>>>>>>>>>>code
>> >>>>>>>>>>>> >review
>> >>>>>>>>>>>> >in smaller chunk. We will support it in first version
>> >>>>>>>>>>>> >but I
>> >>>>>>>>>>>>think
>> >>>>>>>>>>>>if
>> >>>>>>>>>>>>we
>> >>>>>>>>>>>> >can not do it for any reason that should not block a
>> >>>>>>>>>>>> >release
>> >>>>>>>>>>>>with
>> >>>>>>>>>>>>all
>> >>>>>>>>>>>>the
>> >>>>>>>>>>>> >other authZ work. We made deliberate design choices
>> >>>>>>>>>>>> >(like
>> >>>>>>>>>>>>introducing
>> >>>>>>>>>>>>a
>> >>>>>>>>>>>> >principalType in KafkaPrinciapl) to allow supporting
>> >>>>>>>>>>>> >groups
>> as
>> >>>>>>>>>>>>an
>> >>>>>>>>>>>> >incremental change.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>7) Are there config options for setting acls when I
>> >>>>>>>>>>>> >>create
>> my
>> >>>>>>>>>>>>topic?
>> >>>>>>>>>>>>Or
>> >>>>>>>>>>>> >>do I have to create my topic and then run the
>> >>>>>>>>>>>> >>kafka-acl.sh
>> >>>>>>>>>>>>script
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>>set
>> >>>>>>>>>>>> >>them?  Although its very small, there would be possible
>> >>>>>>>>>>>> >>race
>> >>>>>>>>>>>>there
>> >>>>>>>>>>>>that
>> >>>>>>>>>>>> >>someone could start producing to topic before acls are
>>set.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >    We discussed this yesterday and we agreed to go with
>> >>>>>>>>>>>>kafka-acl.sh.
>> >>>>>>>>>>>>Yes
>> >>>>>>>>>>>> >there is a very very small window of vulnerability but I
>> think
>> >>>>>>>>>>>>that
>> >>>>>>>>>>>>really
>> >>>>>>>>>>>> >does not warrant to change the decision in this case.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>8) are there configs for cluster level acl defaults?
>> >>>>>>>>>>>> >>Or
>> does
>> >>>>>>>>>>>>it
>> >>>>>>>>>>>>default
>> >>>>>>>>>>>> >>to superusers on bringing up new cluster and you have
>> >>>>>>>>>>>> >>to
>> >>>>>>>>>>>>modify
>> >>>>>>>>>>>>with
>> >>>>>>>>>>>>cli.
>> >>>>>>>>>>>> >>thanks,Tom
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >    No defaults, the default is superusers will have
>> >>>>>>>>>>>> > full
>> >>>>>>>>>>>>access.
>> >>>>>>>>>>>>I
>> >>>>>>>>>>>>don’t
>> >>>>>>>>>>>> >think making assumptions about ones security requirement
>> >>>>>>>>>>>>should
>> >>>>>>>>>>>>be
>> >>>>>>>>>>>>our
>> >>>>>>>>>>>> >burden.
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >>    On Tuesday, April 21, 2015 7:10 PM, Parth
>> >>>>>>>>>>>> >> Brahmbhatt
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>>><pbrahmbh...@hortonworks.com<mailto:
>> pbrahmbh...@hortonworks.co
>> >>>>>>>>>>>>>>m>
>> >>>>>>>>>>>>>>>
>> >>>>>>>>>>>>wrote:
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >> I have added the notes to KIP-11 Open question sections.
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >>Thanks
>> >>>>>>>>>>>> >>Parth
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >>On 4/21/15, 4:49 PM, "Gwen Shapira"
>> >>>>>>>>>>>> >><gshap...@cloudera.com<mailto:gshap...@cloudera.com>>
>> wrote:
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >>>Adding my notes from today's call to the thread:
>> >>>>>>>>>>>> >>>
>> >>>>>>>>>>>> >>>** Deny or Allow all by default? We will add a
>> configuration
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>> >>>control this. The configuration will default to
>> >>>>>>>>>>>> >>>“allow” for
>> >>>>>>>>>>>>backward
>> >>>>>>>>>>>> >>>compatibility. Security admins can set it to "deny"
>> >>>>>>>>>>>> >>>
>> >>>>>>>>>>>> >>>** Storing ACLs for default authorizers: We'll store
>> >>>>>>>>>>>> >>>them
>> in
>> >>>>>>>>>>>>ZK.
>> >>>>>>>>>>>>We'll
>> >>>>>>>>>>>> >>>support pointing the authorizer to any ZK.
>> >>>>>>>>>>>> >>>The use of ZK will be internal to the default
>>authorizer.
>> >>>>>>>>>>>>Authorizer
>> >>>>>>>>>>>> >>>reads ACLs from cache every hour. We proposed having
>> >>>>>>>>>>>>mechanism
>> >>>>>>>>>>>> >>>(possibly via new ZK node) to tell broker to refresh
>> >>>>>>>>>>>> >>>the
>> >>>>>>>>>>>>cache
>> >>>>>>>>>>>> >>>immediately.
>> >>>>>>>>>>>> >>>
>> >>>>>>>>>>>> >>>** Support deny as permission type - we agreed to keep
>> this.
>> >>>>>>>>>>>> >>>
>> >>>>>>>>>>>> >>>** Mapping operations to API: We may need to add Group
>> >>>>>>>>>>>> >>>as a
>> >>>>>>>>>>>>resource,
>> >>>>>>>>>>>> >>>with JoinGroup and OffsetCommit require privilege on
>> >>>>>>>>>>>> >>>the
>> >>>>>>>>>>>>consumer
>> >>>>>>>>>>>> >>>group.
>> >>>>>>>>>>>> >>>This can be something we pass now and authorizers can
>> >>>>>>>>>>>>support
>> >>>>>>>>>>>>in
>> >>>>>>>>>>>> >>>future. - Jay will write specifics to the mailing list
>> >>>>>>>>>>>>discussion.
>> >>>>>>>>>>>> >>>
>> >>>>>>>>>>>> >>>On Tue, Apr 21, 2015 at 4:32 PM, Jay Kreps
>> >>>>>>>>>>>> >>><jay.kr...@gmail.com<mailto:jay.kr...@gmail.com>> wrote:
>> >>>>>>>>>>>> >>>> Following up on the KIP discussion. Two options for
>> >>>>>>>>>>>>authorizing
>> >>>>>>>>>>>> >>>>consumers
>> >>>>>>>>>>>> >>>> to read topic "t" as part of group "g":
>> >>>>>>>>>>>> >>>> 1. READ permission on resource /topic/t  2. READ
>> >>>>>>>>>>>> >>>>permission on resource /topic/t AND WRITE
>> >>>>>>>>>>>>permission
>> >>>>>>>>>>>>on
>> >>>>>>>>>>>> >>>>/group/g
>> >>>>>>>>>>>> >>>>
>> >>>>>>>>>>>> >>>> The advantage of (1) is that it is simpler. The
>> >>>>>>>>>>>>disadvantage
>> >>>>>>>>>>>>is
>> >>>>>>>>>>>>that
>> >>>>>>>>>>>> >>>>any
>> >>>>>>>>>>>> >>>> member of any group that reads from t can commit
>> >>>>>>>>>>>> >>>>offsets
>> >>>>>>>>>>>>as
>> >>>>>>>>>>>>any
>> >>>>>>>>>>>>other
>> >>>>>>>>>>>> >>>> member of a different group. This doesn't effect
>> >>>>>>>>>>>> >>>> data
>> >>>>>>>>>>>>security
>> >>>>>>>>>>>>(who
>> >>>>>>>>>>>> >>>>can
>> >>>>>>>>>>>> >>>> access what) but it is a bit of a management
>> >>>>>>>>>>>> >>>>issue--a
>> >>>>>>>>>>>>malicious
>> >>>>>>>>>>>>person
>> >>>>>>>>>>>> >>>>can
>> >>>>>>>>>>>> >>>> cause data loss or duplicates for another consumer
>> >>>>>>>>>>>> >>>>by
>> >>>>>>>>>>>>committing
>> >>>>>>>>>>>> >>>>offset.
>> >>>>>>>>>>>> >>>>
>> >>>>>>>>>>>> >>>> I think I favor (2) but it's worth it to think it
>> through.
>> >>>>>>>>>>>> >>>>
>> >>>>>>>>>>>> >>>> -Jay
>> >>>>>>>>>>>> >>>>
>> >>>>>>>>>>>> >>>> On Tue, Apr 21, 2015 at 2:43 PM, Parth Brahmbhatt <
>> >>>>>>>>>>>> >>>>
>> >>>>>>>>>>>>pbrahmbh...@hortonworks.com<mailto:pbrahmbhatt@hortonworks
>> >>>>>>>>>>>>.com
>> >>
>> >>>>>>>>>>>> >>>>wrote:
>> >>>>>>>>>>>> >>>>
>> >>>>>>>>>>>> >>>>> Hey Jun,
>> >>>>>>>>>>>> >>>>>
>> >>>>>>>>>>>> >>>>> Yes and we support wild cards for all acl entities
>> >>>>>>>>>>>>principal,
>> >>>>>>>>>>>>hosts
>> >>>>>>>>>>>> >>>>>and
>> >>>>>>>>>>>> >>>>> operation.
>> >>>>>>>>>>>> >>>>>
>> >>>>>>>>>>>> >>>>> Thanks
>> >>>>>>>>>>>> >>>>> Parth
>> >>>>>>>>>>>> >>>>>
>> >>>>>>>>>>>> >>>>> On 4/21/15, 9:06 AM, "Jun Rao"
>> >>>>>>>>>>>> >>>>><j...@confluent.io<mailto:j...@confluent.io>> wrote:
>> >>>>>>>>>>>> >>>>>
>> >>>>>>>>>>>> >>>>> >Harsha, Parth,
>> >>>>>>>>>>>> >>>>> >
>> >>>>>>>>>>>> >>>>> >Thanks for the clarification. This makes sense.
>> >>>>>>>>>>>> >>>>> >Perhaps
>> >>>>>>>>>>>>we
>> >>>>>>>>>>>>can
>> >>>>>>>>>>>> >>>>>clarify the
>> >>>>>>>>>>>> >>>>> >meaning of those rules in the wiki.
>> >>>>>>>>>>>> >>>>> >
>> >>>>>>>>>>>> >>>>> >Related to this, it seems that we need to support
>> >>>>>>>>>>>>wildcard
>> >>>>>>>>>>>>in
>> >>>>>>>>>>>> >>>>>cli/request
>> >>>>>>>>>>>> >>>>> >protocol for topics?
>> >>>>>>>>>>>> >>>>> >
>> >>>>>>>>>>>> >>>>> >Jun
>> >>>>>>>>>>>> >>>>> >
>> >>>>>>>>>>>> >>>>> >On Mon, Apr 20, 2015 at 9:07 PM, Parth Brahmbhatt
>> >>>>>>>>>>>> >>>>> ><
>> >>>>>>>>>>>> >>>>>
>> >>>>>>>>>>>>>pbrahmbh...@hortonworks.com<mailto:
>> pbrahmbh...@hortonworks.com>
>> >>>>>>>>>>>>>>
>> >>>>>>>>>>>> >>>>>wrote:
>> >>>>>>>>>>>> >>>>> >
>> >>>>>>>>>>>> >>>>> >> The iptables on unix supports the DENY operator, 
>> >>>>>>>>>>>> >>>>> >> not
>> >>>>>>>>>>>>that
>> >>>>>>>>>>>>it
>> >>>>>>>>>>>> >>>>>should
>> >>>>>>>>>>>> >>>>> >> matter. The deny operator can also be used to 
>> >>>>>>>>>>>> >>>>> >> specify
>> >>>>>>>>>>>>³allow
>> >>>>>>>>>>>>user1
>> >>>>>>>>>>>> >>>>>to
>> >>>>>>>>>>>> >>>>> >>READ
>> >>>>>>>>>>>> >>>>> >> from topic1 from all hosts but host1,host2². 
>> >>>>>>>>>>>> >>>>> >>Again we
>> >>>>>>>>>>>>could
>> >>>>>>>>>>>>add a
>> >>>>>>>>>>>> >>>>>host
>> >>>>>>>>>>>> >>>>> >> group semantic and extra complexity around that, 
>> >>>>>>>>>>>> >>>>> >> not
>> >>>>>>>>>>>>sure
>> >>>>>>>>>>>>if
>> >>>>>>>>>>>>its
>> >>>>>>>>>>>> >>>>>worth
>> >>>>>>>>>>>> >>>>> >>it.
>> >>>>>>>>>>>> >>>>> >> In addition with DENY operator you are now not 
>> >>>>>>>>>>>> >>>>> >>forced
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>>create a
>> >>>>>>>>>>>> >>>>> >>special
>> >>>>>>>>>>>> >>>>> >> group just to support the authorization use 
>> >>>>>>>>>>>> >>>>> >>case. I
>> am
>> >>>>>>>>>>>>not
>> >>>>>>>>>>>> >>>>>convinced
>> >>>>>>>>>>>> >>>>> >>that
>> >>>>>>>>>>>> >>>>> >> the operator it self is really all that confusing.
>> >>>>>>>>>>>>There
>> >>>>>>>>>>>>are 3
>> >>>>>>>>>>>> >>>>>practical
>> >>>>>>>>>>>> >>>>> >> use cases:
>> >>>>>>>>>>>> >>>>> >> - Resource with no acl what so ever -> allow 
>> >>>>>>>>>>>> >>>>> >> access
>> to
>> >>>>>>>>>>>>everyone (
>> >>>>>>>>>>>> >>>>>just
>> >>>>>>>>>>>> >>>>> >>for
>> >>>>>>>>>>>> >>>>> >> backward compatibility, I would much rather fail
>> close
>> >>>>>>>>>>>>and
>> >>>>>>>>>>>>force
>> >>>>>>>>>>>> >>>>>users
>> >>>>>>>>>>>> >>>>> >>to
>> >>>>>>>>>>>> >>>>> >> explicitly grant acls that allows access to all
>> >>>>>>>>>>>>users.)
>> >>>>>>>>>>>> >>>>> >> - Resource with some acl attached -> only users 
>> >>>>>>>>>>>> >>>>> >> that
>> >>>>>>>>>>>>have
>> >>>>>>>>>>>>a
>> >>>>>>>>>>>> >>>>>matching
>> >>>>>>>>>>>> >>>>> >>allow
>> >>>>>>>>>>>> >>>>> >> acl are allowed (i.e. ³allow READ access to 
>> >>>>>>>>>>>> >>>>> >>topic1 to
>> >>>>>>>>>>>>user1
>> >>>>>>>>>>>>from
>> >>>>>>>>>>>> >>>>>all
>> >>>>>>>>>>>> >>>>> >> hosts², only user1 has READ access and no other 
>> >>>>>>>>>>>> >>>>> >> user
>> >>>>>>>>>>>>has
>> >>>>>>>>>>>>access of
>> >>>>>>>>>>>> >>>>>any
>> >>>>>>>>>>>> >>>>> >> kind)
>> >>>>>>>>>>>> >>>>> >> - Resource with some allow and some deny acl 
>> >>>>>>>>>>>> >>>>> >> attached
>> >>>>>>>>>>>>->
>> >>>>>>>>>>>>users
>> >>>>>>>>>>>>are
>> >>>>>>>>>>>> >>>>> >>allowed
>> >>>>>>>>>>>> >>>>> >> to perform operation only when they satisfy 
>> >>>>>>>>>>>> >>>>> >>allow acl
>> >>>>>>>>>>>>and
>> >>>>>>>>>>>>do
>> >>>>>>>>>>>>not
>> >>>>>>>>>>>> >>>>>have
>> >>>>>>>>>>>> >>>>> >> conflicting deny acl. Users that have no 
>> >>>>>>>>>>>> >>>>> >> acl(allow or
>> >>>>>>>>>>>>deny)
>> >>>>>>>>>>>>will
>> >>>>>>>>>>>> >>>>>still
>> >>>>>>>>>>>> >>>>> >>not
>> >>>>>>>>>>>> >>>>> >> have any access. (i.e. ³allow READ access to 
>> >>>>>>>>>>>> >>>>> >>topic1
>> to
>> >>>>>>>>>>>>user1
>> >>>>>>>>>>>>from
>> >>>>>>>>>>>> >>>>>all
>> >>>>>>>>>>>> >>>>> >> hosts except host1 and host², only user1 has 
>> >>>>>>>>>>>> >>>>> >> access
>> >>>>>>>>>>>>but
>> >>>>>>>>>>>>not
>> >>>>>>>>>>>>from
>> >>>>>>>>>>>> >>>>>host1
>> >>>>>>>>>>>> >>>>> >>an
>> >>>>>>>>>>>> >>>>> >> host2)
>> >>>>>>>>>>>> >>>>> >>
>> >>>>>>>>>>>> >>>>> >> I think we need to make a decision on deny 
>> >>>>>>>>>>>> >>>>> >> primarily
>> >>>>>>>>>>>>because
>> >>>>>>>>>>>>with
>> >>>>>>>>>>>> >>>>> >> introduction of acl management API, Acl is now a
>> >>>>>>>>>>>>public
>> >>>>>>>>>>>>class
>> >>>>>>>>>>>>that
>> >>>>>>>>>>>> >>>>>will
>> >>>>>>>>>>>> >>>>> >>be
>> >>>>>>>>>>>> >>>>> >> used by Ranger/Santry and other authroization
>> >>>>>>>>>>>>providers.
>> >>>>>>>>>>>>In
>> >>>>>>>>>>>> >>>>>Current
>> >>>>>>>>>>>> >>>>> >>design
>> >>>>>>>>>>>> >>>>> >> the acl has a permissionType enum field with 
>> >>>>>>>>>>>> >>>>> >>possible
>> >>>>>>>>>>>>values
>> >>>>>>>>>>>>of
>> >>>>>>>>>>>> >>>>>Allow
>> >>>>>>>>>>>> >>>>> >>and
>> >>>>>>>>>>>> >>>>> >> Deny. If we chose to remove deny we can assume 
>> >>>>>>>>>>>> >>>>> >>all
>> >>>>>>>>>>>>acls
>> >>>>>>>>>>>>to
>> >>>>>>>>>>>>be
>> >>>>>>>>>>>>of
>> >>>>>>>>>>>> >>>>>allow
>> >>>>>>>>>>>> >>>>> >> type and remove the permissionType field 
>>completely.
>> >>>>>>>>>>>> >>>>> >>
>> >>>>>>>>>>>> >>>>> >> Thanks
>> >>>>>>>>>>>> >>>>> >> Parth
>> >>>>>>>>>>>> >>>>> >>
>> >>>>>>>>>>>> >>>>> >> On 4/20/15, 6:12 PM, "Gwen Shapira"
>> >>>>>>>>>>>> >>>>><gshap...@cloudera.com<mailto:gshap...@cloudera.com>
>> >>>>>>>>>>>> >>>>>>
>> >>>>>>>>>>>>wrote:
>> >>>>>>>>>>>> >>>>> >>
>> >>>>>>>>>>>> >>>>> >> >I think thats how its done in pretty much any 
>> >>>>>>>>>>>> >>>>> >> >system
>> >>>>>>>>>>>>I
>> >>>>>>>>>>>>can
>> >>>>>>>>>>>>think
>> >>>>>>>>>>>> >>>>>of.
>> >>>>>>>>>>>> >>>>> >> >
>> >>>>>>>>>>>> >>>>> >>
>> >>>>>>>>>>>> >>>>> >>
>> >>>>>>>>>>>> >>>>>
>> >>>>>>>>>>>> >>>>>
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >>
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>> >
>> >>>>>>>>>>>>
>> >>>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>
>> >>>>>>>>>>>--
>> >>>>>>>>>>>Jeff Holoman
>> >>>>>>>>>>>Systems Engineer
>> >>>>>>>>>>
>> >>>>>>>>>
>> >>>>>>>
>> >>>>>
>> >>>
>> >
>>

Reply via email to