[jira] [Commented] (KAFKA-4454) Authorizer should also include the Principal generated by the PrincipalBuilder.

Mon, 05 Dec 2016 17:50:37 -0800 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15724000#comment-15724000
 ] 

Jun Rao commented on KAFKA-4454:
--------------------------------

[~mgharat], I understand the problem that you described. However, I am not sure 
about the approach that you took. 

The reason that KafkaPrincipal only has a simple string name is that it makes 
defining ACL rules through the default AclCommand easy. If you include 
channelPrincipal in KafkaPrincipal, ideally you want to include 
channelPrincipal when doing equality test between two KafkaPrincipals (It's 
kind of hacky to only do equality test on 2 of the 3 fields). This means that 
AclCommand needs to specify channelPrincipal as well and I am not sure how to 
do that.

It seems that LinkedIn uses a customized authorization module for both defining 
and verifying ACL rules (instead of the default AclCommand and 
SimpleAclAuthorizer) and wants more context for the customized authorization to 
use. Perhaps, we could extend the Session object with channelPrincipal instead. 
It would be good to think through if there is any other extension that we may 
want too. In any case, since this affects the user facing authorization module, 
perhaps we should do a KIP so that more people are aware of the changes.

> Authorizer should also include the Principal generated by the 
> PrincipalBuilder.
> -------------------------------------------------------------------------------
>
>                 Key: KAFKA-4454
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4454
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 0.10.0.1
>            Reporter: Mayuresh Gharat
>            Assignee: Mayuresh Gharat
>             Fix For: 0.10.2.0
>
>
> Currently kafka allows users to plugin a custom PrincipalBuilder and a custom 
> Authorizer.
> The Authorizer.authorize() object takes in a Session object that wraps 
> KafkaPrincipal and InetAddress.
> The KafkaPrincipal currently has a PrincipalType and Principal name, which is 
> the name of Principal generated by the PrincipalBuilder. 
> This Principal, generated by the pluggedin PrincipalBuilder might have other 
> fields that might be required by the pluggedin Authorizer but currently we 
> loose this information since we only extract the name of Principal while 
> creating KaflkaPrincipal in SocketServer.  
> It would be great if KafkaPrincipal has an additional field 
> "channelPrincipal" which is used to store the Principal generated by the 
> plugged in PrincipalBuilder.
> The pluggedin Authorizer can then use this "channelPrincipal" to do 
> authorization.
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to