Hi Jun/Ismael, Thanks for the comments.
I agree. What I was thinking was, we get the KIP passed now and wait till major kafka version release. We can then make this change, but for now we can wait. Does that work? If there are concerns, we can make the addition of extra field of type Principal to Session and then deprecate the KafkaPrincipal later. I am fine either ways. What do you think? Thanks, Mayuresh On Tue, Feb 28, 2017 at 9:53 AM, Jun Rao <j...@confluent.io> wrote: > Hi, Ismael, > > Good point on compatibility. > > Hi, Mayuresh, > > Given that, it seems that it's better to just add the raw principal as a > new field in Session for now and deprecate the KafkaPrincipal field in the > future if needed? > > Thanks, > > Jun > > On Mon, Feb 27, 2017 at 5:05 PM, Ismael Juma <ism...@juma.me.uk> wrote: > > > Breaking clients without a deprecation period is something we only do as > a > > last resort. Is there strong justification for doing it here? > > > > Ismael > > > > On Mon, Feb 27, 2017 at 11:28 PM, Mayuresh Gharat < > > gharatmayures...@gmail.com> wrote: > > > > > Hi Ismael, > > > > > > Yeah. I agree that it might break the clients if the user is using the > > > kafkaPrincipal directly. But since KafkaPrincipal is also a Java > > Principal > > > and I think, it would be a right thing to do replace the kafkaPrincipal > > > with Java Principal at this stage than later. > > > > > > We can mention in the KIP, that it would break the clients that are > using > > > the KafkaPrincipal directly and they will have to use the PrincipalType > > > directly, if they are using it as its only one value and use the name > > from > > > the Principal directly or create a KafkaPrincipal from Java Principal > as > > we > > > are doing in SimpleAclAuthorizer with this KIP. > > > > > > Thanks, > > > > > > Mayuresh > > > > > > > > > > > > On Mon, Feb 27, 2017 at 10:56 AM, Ismael Juma <ism...@juma.me.uk> > wrote: > > > > > > > Hi Mayuresh, > > > > > > > > Sorry for the delay. The updated KIP states that there is no > > > compatibility > > > > impact, but that doesn't seem right. The fact that we changed the > type > > of > > > > Session.principal to `Principal` means that any code that expects it > to > > > be > > > > `KafkaPrincipal` will break. Either because of declared types > (likely) > > or > > > > if it accesses `getPrincipalType` (unlikely since the value is always > > the > > > > same). It's a bit annoying, but we should add a new field to > `Session` > > > with > > > > the original principal. We can potentially deprecate the existing > one, > > if > > > > we're sure we don't need it (or we can leave it for now). > > > > > > > > Ismael > > > > > > > > On Mon, Feb 27, 2017 at 6:40 PM, Mayuresh Gharat < > > > > gharatmayures...@gmail.com > > > > > wrote: > > > > > > > > > Hi Ismael, Joel, Becket > > > > > > > > > > Would you mind taking a look at this. We require 2 more binding > votes > > > for > > > > > the KIP to pass. > > > > > > > > > > Thanks, > > > > > > > > > > Mayuresh > > > > > > > > > > On Thu, Feb 23, 2017 at 10:57 AM, Dong Lin <lindon...@gmail.com> > > > wrote: > > > > > > > > > > > +1 (non-binding) > > > > > > > > > > > > On Wed, Feb 22, 2017 at 10:52 PM, Manikumar < > > > manikumar.re...@gmail.com > > > > > > > > > > > wrote: > > > > > > > > > > > > > +1 (non-binding) > > > > > > > > > > > > > > On Thu, Feb 23, 2017 at 3:27 AM, Mayuresh Gharat < > > > > > > > gharatmayures...@gmail.com > > > > > > > > wrote: > > > > > > > > > > > > > > > Hi Jun, > > > > > > > > > > > > > > > > Thanks a lot for the comments and reviews. > > > > > > > > I agree we should log the username. > > > > > > > > What I meant by creating KafkaPrincipal was, after this KIP > we > > > > would > > > > > > not > > > > > > > be > > > > > > > > required to create KafkaPrincipal and if we want to maintain > > the > > > > old > > > > > > > > logging, we will have to create it as we do today. > > > > > > > > I will take care that we specify the Principal name in the > log. > > > > > > > > > > > > > > > > Thanks again for all the reviews. > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > Mayuresh > > > > > > > > > > > > > > > > On Wed, Feb 22, 2017 at 1:45 PM, Jun Rao <j...@confluent.io> > > > wrote: > > > > > > > > > > > > > > > > > Hi, Mayuresh, > > > > > > > > > > > > > > > > > > For logging the user name, we could do either way. We just > > need > > > > to > > > > > > make > > > > > > > > > sure the expected user name is logged. Also, currently, we > > are > > > > > > already > > > > > > > > > creating a KafkaPrincipal on every request. +1 on the > latest > > > KIP. > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > Jun > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Feb 21, 2017 at 8:05 PM, Mayuresh Gharat < > > > > > > > > > gharatmayures...@gmail.com > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > Hi Jun, > > > > > > > > > > > > > > > > > > > > Thanks for the comments. > > > > > > > > > > > > > > > > > > > > I will mention in the KIP : how this change doesn't > affect > > > the > > > > > > > default > > > > > > > > > > authorizer implementation. > > > > > > > > > > > > > > > > > > > > Regarding, Currently, we log the principal name in the > > > request > > > > > log > > > > > > in > > > > > > > > > > RequestChannel, which has the format of "principalType + > > > > > SEPARATOR > > > > > > + > > > > > > > > > > name;". > > > > > > > > > > It would be good if we can keep the same convention after > > > this > > > > > KIP. > > > > > > > One > > > > > > > > > way > > > > > > > > > > to do that is to convert java.security.Principal to > > > > > KafkaPrincipal > > > > > > > for > > > > > > > > > > logging the requests. > > > > > > > > > > --- > This would mean we have to create a new > > KafkaPrincipal > > > on > > > > > > each > > > > > > > > > > request. Would it be OK to just specify the name of the > > > > > principal. > > > > > > > > > > Is there any major reason, we don't want to change the > > > logging > > > > > > > format? > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > Mayuresh > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Mon, Feb 20, 2017 at 10:18 PM, Jun Rao < > > j...@confluent.io> > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > Hi, Mayuresh, > > > > > > > > > > > > > > > > > > > > > > Thanks for the updated KIP. A couple of more comments. > > > > > > > > > > > > > > > > > > > > > > 1. Do we convert java.security.Principal to > > KafkaPrincipal > > > > for > > > > > > > > > > > authorization check in SimpleAclAuthorizer? If so, it > > would > > > > be > > > > > > > useful > > > > > > > > > to > > > > > > > > > > > mention that in the wiki so that people can understand > > how > > > > this > > > > > > > > change > > > > > > > > > > > doesn't affect the default authorizer implementation. > > > > > > > > > > > > > > > > > > > > > > 2. Currently, we log the principal name in the request > > log > > > in > > > > > > > > > > > RequestChannel, which has the format of "principalType > + > > > > > > SEPARATOR > > > > > > > + > > > > > > > > > > > name;". > > > > > > > > > > > It would be good if we can keep the same convention > after > > > > this > > > > > > KIP. > > > > > > > > One > > > > > > > > > > way > > > > > > > > > > > to do that is to convert java.security.Principal to > > > > > > KafkaPrincipal > > > > > > > > for > > > > > > > > > > > logging the requests. > > > > > > > > > > > > > > > > > > > > > > Jun > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 5:35 PM, Mayuresh Gharat < > > > > > > > > > > > gharatmayures...@gmail.com > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > Hi Jun, > > > > > > > > > > > > > > > > > > > > > > > > I have updated the KIP. Would you mind taking another > > > look? > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > Mayuresh > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 4:42 PM, Mayuresh Gharat < > > > > > > > > > > > > gharatmayures...@gmail.com > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Hi Jun, > > > > > > > > > > > > > > > > > > > > > > > > > > Sure sounds good to me. > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > > > > > Mayuresh > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 1:54 PM, Jun Rao < > > > > j...@confluent.io > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > >> Hi, Mani, > > > > > > > > > > > > >> > > > > > > > > > > > > >> Good point on using PrincipalBuilder for SASL. It > > > seems > > > > > that > > > > > > > > > > > > >> PrincipalBuilder already has access to > > Authenticator. > > > > So, > > > > > we > > > > > > > > could > > > > > > > > > > > just > > > > > > > > > > > > >> enable that in SaslChannelBuilder. We probably > could > > > do > > > > > that > > > > > > > in > > > > > > > > a > > > > > > > > > > > > separate > > > > > > > > > > > > >> KIP? > > > > > > > > > > > > >> > > > > > > > > > > > > >> Hi, Mayuresh, > > > > > > > > > > > > >> > > > > > > > > > > > > >> If you don't think there is a concrete use case > for > > > > using > > > > > > > > > > > > >> PrincipalBuilder in > > > > > > > > > > > > >> kafka-acls.sh, perhaps we could do the simpler > > > approach > > > > > for > > > > > > > now? > > > > > > > > > > > > >> > > > > > > > > > > > > >> Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > >> Jun > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> On Fri, Feb 17, 2017 at 12:23 PM, Mayuresh Gharat > < > > > > > > > > > > > > >> gharatmayures...@gmail.com> wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > >> > @Manikumar, > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > Can you give an example how you are planning to > > use > > > > > > > > > > > PrincipalBuilder? > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > @Jun > > > > > > > > > > > > >> > Yes, that is right. To give a brief overview, we > > > just > > > > > > > extract > > > > > > > > > the > > > > > > > > > > > cert > > > > > > > > > > > > >> and > > > > > > > > > > > > >> > hand it over to a third party library for > > creating a > > > > > > > > Principal. > > > > > > > > > So > > > > > > > > > > > we > > > > > > > > > > > > >> > cannot create a Principal from just a string. > > > > > > > > > > > > >> > The main motive behind adding the > PrincipalBuilder > > > for > > > > > > > > > > kafk-acls.sh > > > > > > > > > > > > was > > > > > > > > > > > > >> > that someone else (who can generate a Principal > > from > > > > map > > > > > > of > > > > > > > > > > > propertie, > > > > > > > > > > > > >> > <String, String> for example) can use it. > > > > > > > > > > > > >> > As I said, Linkedin is fine with not making any > > > > changes > > > > > to > > > > > > > > > > > > Kafka-acls.sh > > > > > > > > > > > > >> > for now. But we thought that it would be a good > > > > > > improvement > > > > > > > to > > > > > > > > > the > > > > > > > > > > > > tool > > > > > > > > > > > > >> and > > > > > > > > > > > > >> > it makes it more flexible and usable. > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > Let us know your thoughts, if you would like us > to > > > > make > > > > > > > > > > > kafka-acls.sh > > > > > > > > > > > > >> more > > > > > > > > > > > > >> > flexible and usable and not limited to > Authorizer > > > > coming > > > > > > out > > > > > > > > of > > > > > > > > > > the > > > > > > > > > > > > box. > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > Mayuresh > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > On Thu, Feb 16, 2017 at 10:18 PM, Manikumar < > > > > > > > > > > > > manikumar.re...@gmail.com> > > > > > > > > > > > > >> > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > Hi Jun, > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > yes, we can just customize rules to send full > > > > > principal > > > > > > > > > name. I > > > > > > > > > > > was > > > > > > > > > > > > >> > > just thinking to > > > > > > > > > > > > >> > > use PrinciplaBuilder interface for > implementing > > > SASL > > > > > > rules > > > > > > > > > also. > > > > > > > > > > > So > > > > > > > > > > > > >> that > > > > > > > > > > > > >> > > the interface > > > > > > > > > > > > >> > > will be consistent across protocols. > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > Thanks > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > On Fri, Feb 17, 2017 at 1:07 AM, Jun Rao < > > > > > > > j...@confluent.io> > > > > > > > > > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > Hi, Radai, Mayuresh, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > Thanks for the explanation. Good point on a > > > > > pluggable > > > > > > > > > > authorizer > > > > > > > > > > > > can > > > > > > > > > > > > >> > > > customize how acls are added. However, > > earlier, > > > > > > Mayuresh > > > > > > > > was > > > > > > > > > > > > saying > > > > > > > > > > > > >> > that > > > > > > > > > > > > >> > > in > > > > > > > > > > > > >> > > > LinkedIn's customized authorizer, it's not > > > > possible > > > > > to > > > > > > > > > create > > > > > > > > > > a > > > > > > > > > > > > >> > principal > > > > > > > > > > > > >> > > > from string. If that's the case, will adding > > the > > > > > > > principal > > > > > > > > > > > builder > > > > > > > > > > > > >> in > > > > > > > > > > > > >> > > > kafka-acl.sh help? If the principal can be > > > > > constructed > > > > > > > > from > > > > > > > > > a > > > > > > > > > > > > >> string, > > > > > > > > > > > > >> > > > wouldn't it be simpler to just let > > kafka-acl.sh > > > do > > > > > > > > > > authorization > > > > > > > > > > > > >> based > > > > > > > > > > > > >> > on > > > > > > > > > > > > >> > > > that string name and not be aware of the > > > principal > > > > > > > > builder? > > > > > > > > > If > > > > > > > > > > > you > > > > > > > > > > > > >> > still > > > > > > > > > > > > >> > > > think there is a need, perhaps you can add a > > > more > > > > > > > concrete > > > > > > > > > use > > > > > > > > > > > > case > > > > > > > > > > > > >> > that > > > > > > > > > > > > >> > > > can't be done otherwise? > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > Hi, Mani, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > For SASL, if the authorizer needs the full > > > > kerberos > > > > > > > > > principal > > > > > > > > > > > > name, > > > > > > > > > > > > >> > > > currently, the user can just customize " > > > > > > > > > > > > sasl.kerberos.principal.to. > > > > > > > > > > > > >> > > > local.rules" > > > > > > > > > > > > >> > > > to return the full principal name as the > name > > > for > > > > > > > > > > authorization, > > > > > > > > > > > > >> right? > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > Jun > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > On Wed, Feb 15, 2017 at 10:25 AM, Mayuresh > > > Gharat > > > > < > > > > > > > > > > > > >> > > > gharatmayures...@gmail.com> wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > @Jun thanks for the comments.Please see > the > > > > > replies > > > > > > > > > inline. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > Currently kafka-acl.sh just creates an ACL > > > path > > > > in > > > > > > ZK > > > > > > > > with > > > > > > > > > > the > > > > > > > > > > > > >> > > principal > > > > > > > > > > > > >> > > > > name string. > > > > > > > > > > > > >> > > > > ----> Yes, the kafka-acl.sh calls the > > addAcl() > > > > on > > > > > > the > > > > > > > > > > inbuilt > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer which in turn creates > an > > > ACL > > > > > in > > > > > > ZK > > > > > > > > > with > > > > > > > > > > > the > > > > > > > > > > > > >> > > Principal > > > > > > > > > > > > >> > > > > name string. This is because we supply the > > > > > > > > > > SimpleAclAuthorizer > > > > > > > > > > > > as > > > > > > > > > > > > >> a > > > > > > > > > > > > >> > > > > commandline argument in the Kafka-acls.sh > > > > command. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > The authorizer module in the broker reads > > the > > > > > > > principal > > > > > > > > > name > > > > > > > > > > > > >> > > > > string from the acl path in ZK and creates > > the > > > > > > > expected > > > > > > > > > > > > >> > KafkaPrincipal > > > > > > > > > > > > >> > > > for > > > > > > > > > > > > >> > > > > matching. As you can see, the expected > > > principal > > > > > is > > > > > > > > > created > > > > > > > > > > on > > > > > > > > > > > > the > > > > > > > > > > > > >> > > broker > > > > > > > > > > > > >> > > > > side, not by the kafka-acl.sh tool. > > > > > > > > > > > > >> > > > > ----> This is considering the fact that > the > > > user > > > > > is > > > > > > > > using > > > > > > > > > > the > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer on the broker side and > > not > > > > his > > > > > > own > > > > > > > > > > custom > > > > > > > > > > > > >> > > Authorizer. > > > > > > > > > > > > >> > > > > The SimpleAclAuthorizer will take the > > > Principal > > > > it > > > > > > > gets > > > > > > > > > from > > > > > > > > > > > the > > > > > > > > > > > > >> > > Session > > > > > > > > > > > > >> > > > > class . Currently the Principal is > > > > KafkaPrincipal. > > > > > > > This > > > > > > > > > > > > >> > KafkaPrincipal > > > > > > > > > > > > >> > > is > > > > > > > > > > > > >> > > > > generated from the name of the actual > > channel > > > > > > > Principal, > > > > > > > > > in > > > > > > > > > > > > >> > > SocketServer > > > > > > > > > > > > >> > > > > class when processing completed receives. > > > > > > > > > > > > >> > > > > With this KIP, this will no longer be the > > case > > > > as > > > > > > the > > > > > > > > > > Session > > > > > > > > > > > > >> class > > > > > > > > > > > > >> > > will > > > > > > > > > > > > >> > > > > store a java.security.Principal instead of > > > > > specific > > > > > > > > > > > > >> KafkaPrincipal. > > > > > > > > > > > > >> > So > > > > > > > > > > > > >> > > > the > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer will construct the > > > > > > KafkaPrincipal > > > > > > > > from > > > > > > > > > > the > > > > > > > > > > > > >> > channel > > > > > > > > > > > > >> > > > > Principal it gets from the Session class. > > > > > > > > > > > > >> > > > > User might not want to use the > > > > SimpleAclAuthorizer > > > > > > but > > > > > > > > use > > > > > > > > > > > > his/her > > > > > > > > > > > > >> > own > > > > > > > > > > > > >> > > > > custom Authorizer. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > The broker already has the ability to > > > > > > > > > > > > >> > > > > configure PrincipalBuilder. That's why I > am > > > not > > > > > sure > > > > > > > if > > > > > > > > > > there > > > > > > > > > > > > is a > > > > > > > > > > > > >> > need > > > > > > > > > > > > >> > > > for > > > > > > > > > > > > >> > > > > kafka-acl.sh to customize > PrincipalBuilder. > > > > > > > > > > > > >> > > > > ----> This is exactly the reason why we > want > > > to > > > > > > > propose > > > > > > > > a > > > > > > > > > > > > >> > > > PrincipalBuilder > > > > > > > > > > > > >> > > > > in kafka-acls.sh so that the Principal > > > generated > > > > > by > > > > > > > the > > > > > > > > > > > > >> > > PrincipalBuilder > > > > > > > > > > > > >> > > > on > > > > > > > > > > > > >> > > > > broker is consistent with that generated > > while > > > > > > > creating > > > > > > > > > ACLs > > > > > > > > > > > > using > > > > > > > > > > > > >> > the > > > > > > > > > > > > >> > > > > kafka-acls.sh command line tool. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > *To summarize the above discussions :* > > > > > > > > > > > > >> > > > > What if we only make the following > changes: > > > pass > > > > > the > > > > > > > > java > > > > > > > > > > > > >> principal > > > > > > > > > > > > >> > in > > > > > > > > > > > > >> > > > > session and in > > > > > > > > > > > > >> > > > > SimpleAuthorizer, construct KafkaPrincipal > > > from > > > > > java > > > > > > > > > > principal > > > > > > > > > > > > >> name. > > > > > > > > > > > > >> > > Will > > > > > > > > > > > > >> > > > > that work for LinkedIn? > > > > > > > > > > > > >> > > > > ------> Yes, this works for Linkedin as we > > are > > > > not > > > > > > > using > > > > > > > > > the > > > > > > > > > > > > >> > > > kafka-acls.sh > > > > > > > > > > > > >> > > > > tool to create/update/add ACLs, for now. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > Do you think there is a use case for a > > > > customized > > > > > > > > > authorizer > > > > > > > > > > > and > > > > > > > > > > > > >> > > > kafka-acl > > > > > > > > > > > > >> > > > > at the > > > > > > > > > > > > >> > > > > same time? If not, it's better not to > > > complicate > > > > > the > > > > > > > > > > kafka-acl > > > > > > > > > > > > >> api. > > > > > > > > > > > > >> > > > > -----> At Linkedin, we don't use this tool > > for > > > > > now. > > > > > > So > > > > > > > > we > > > > > > > > > > are > > > > > > > > > > > > fine > > > > > > > > > > > > >> > with > > > > > > > > > > > > >> > > > the > > > > > > > > > > > > >> > > > > minimal change for now. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > Initially, our change was minimal, just > > > getting > > > > > the > > > > > > > > Kafka > > > > > > > > > to > > > > > > > > > > > > >> preserve > > > > > > > > > > > > >> > > the > > > > > > > > > > > > >> > > > > channel principal. Since there was a > > > discussion > > > > > how > > > > > > > > > > > > kafka-acls.sh > > > > > > > > > > > > >> > would > > > > > > > > > > > > >> > > > > work with this change, on the ticket, we > > > > designed > > > > > a > > > > > > > > > detailed > > > > > > > > > > > > >> solution > > > > > > > > > > > > >> > > to > > > > > > > > > > > > >> > > > > make this tool generally usable with all > > sorts > > > > of > > > > > > > > > > combinations > > > > > > > > > > > > of > > > > > > > > > > > > >> > > > > Authorizers and PrincipalBuilders and give > > > more > > > > > > > > > flexibility > > > > > > > > > > to > > > > > > > > > > > > the > > > > > > > > > > > > >> > end > > > > > > > > > > > > >> > > > > users. > > > > > > > > > > > > >> > > > > Without the changes proposed for > > kafka-acls.sh > > > > in > > > > > > this > > > > > > > > > KIP, > > > > > > > > > > it > > > > > > > > > > > > >> cannot > > > > > > > > > > > > >> > > be > > > > > > > > > > > > >> > > > > used with a custom > > Authorizer/PrinipalBuilder > > > > but > > > > > > will > > > > > > > > > only > > > > > > > > > > > work > > > > > > > > > > > > >> with > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > Although, I would actually like it to work > > for > > > > > > general > > > > > > > > > > > scenario, > > > > > > > > > > > > >> I am > > > > > > > > > > > > >> > > > fine > > > > > > > > > > > > >> > > > > with separating it under a separate KIP > and > > > > limit > > > > > > the > > > > > > > > > scope > > > > > > > > > > of > > > > > > > > > > > > >> this > > > > > > > > > > > > >> > > KIP. > > > > > > > > > > > > >> > > > > I will update the KIP accordingly and put > > this > > > > > under > > > > > > > > > > rejected > > > > > > > > > > > > >> > > > alternatives > > > > > > > > > > > > >> > > > > and create a new KIP for the Kafka-acls.sh > > > > > changes. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > @Manikumar > > > > > > > > > > > > >> > > > > Since we are limiting the scope of this > KIP > > by > > > > not > > > > > > > > making > > > > > > > > > > any > > > > > > > > > > > > >> changes > > > > > > > > > > > > >> > > to > > > > > > > > > > > > >> > > > > kafka-acls.sh, I will cover your concern > in > > a > > > > > > separate > > > > > > > > KIP > > > > > > > > > > > that > > > > > > > > > > > > I > > > > > > > > > > > > >> > will > > > > > > > > > > > > >> > > > put > > > > > > > > > > > > >> > > > > up for kafka-acls.sh. Does that work? > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > Mayuresh > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > On Wed, Feb 15, 2017 at 9:18 AM, radai < > > > > > > > > > > > > >> radai.rosenbl...@gmail.com> > > > > > > > > > > > > >> > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > @jun: > > > > > > > > > > > > >> > > > > > "Currently kafka-acl.sh just creates an > > ACL > > > > path > > > > > > in > > > > > > > ZK > > > > > > > > > > with > > > > > > > > > > > > the > > > > > > > > > > > > >> > > > principal > > > > > > > > > > > > >> > > > > > name string" - yes, but not directly. > all > > it > > > > > > > actually > > > > > > > > > does > > > > > > > > > > > it > > > > > > > > > > > > >> > spin-up > > > > > > > > > > > > >> > > > the > > > > > > > > > > > > >> > > > > > Authorizer and call Authorizer.addAcl() > on > > > it. > > > > > > > > > > > > >> > > > > > the vanilla Authorizer goes to ZK. > > > > > > > > > > > > >> > > > > > but generally speaking, users can plug > in > > > > their > > > > > > own > > > > > > > > > > > > Authorizers > > > > > > > > > > > > >> > (that > > > > > > > > > > > > >> > > > can > > > > > > > > > > > > >> > > > > > store/load ACLs to/from wherever). > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > it would be nice if users who customize > > > > > > Authorizers > > > > > > > > (and > > > > > > > > > > > > >> > > > > PrincipalBuilders) > > > > > > > > > > > > >> > > > > > did not immediately lose the ability to > > use > > > > > > > > kafka-acl.sh > > > > > > > > > > > with > > > > > > > > > > > > >> their > > > > > > > > > > > > >> > > new > > > > > > > > > > > > >> > > > > > Authorizers. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > On Wed, Feb 15, 2017 at 5:50 AM, > > Manikumar < > > > > > > > > > > > > >> > > manikumar.re...@gmail.com> > > > > > > > > > > > > >> > > > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > Sorry, I am late to this discussion. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > PrincipalBuilder is only used for SSL > > > > > Protocol. > > > > > > > > > > > > >> > > > > > > For SASL, we use " > > > > sasl.kerberos.principal.to. > > > > > > > > > > local.rules" > > > > > > > > > > > > >> config > > > > > > > > > > > > >> > > to > > > > > > > > > > > > >> > > > > map > > > > > > > > > > > > >> > > > > > > SASL principal names to short names. > To > > > make > > > > > it > > > > > > > > > > > consistent, > > > > > > > > > > > > >> > > > > > > Do we also need to pass the SASL full > > > > > principal > > > > > > > name > > > > > > > > > to > > > > > > > > > > > > >> > authorizer > > > > > > > > > > > > >> > > ? > > > > > > > > > > > > >> > > > > > > We may need to use PrincipalBuilder > for > > > > > mapping > > > > > > > SASL > > > > > > > > > > > names. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > Related JIRA is here: > > > > > > > > > > > > >> > > > > > > https://issues.apache.org/ > > > > > > jira/browse/KAFKA-2854 > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > On Wed, Feb 15, 2017 at 7:47 AM, Jun > > Rao < > > > > > > > > > > > j...@confluent.io> > > > > > > > > > > > > >> > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > Hi, Radai, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > >> > > > > > > > Currently kafka-acl.sh just creates > an > > > ACL > > > > > > path > > > > > > > in > > > > > > > > > ZK > > > > > > > > > > > with > > > > > > > > > > > > >> the > > > > > > > > > > > > >> > > > > > principal > > > > > > > > > > > > >> > > > > > > > name string. The authorizer module > in > > > the > > > > > > broker > > > > > > > > > reads > > > > > > > > > > > the > > > > > > > > > > > > >> > > > principal > > > > > > > > > > > > >> > > > > > name > > > > > > > > > > > > >> > > > > > > > string from the acl path in ZK and > > > creates > > > > > the > > > > > > > > > > expected > > > > > > > > > > > > >> > > > > KafkaPrincipal > > > > > > > > > > > > >> > > > > > > for > > > > > > > > > > > > >> > > > > > > > matching. As you can see, the > expected > > > > > > principal > > > > > > > > is > > > > > > > > > > > > created > > > > > > > > > > > > >> on > > > > > > > > > > > > >> > > the > > > > > > > > > > > > >> > > > > > broker > > > > > > > > > > > > >> > > > > > > > side, not by the kafka-acl.sh tool. > > The > > > > > broker > > > > > > > > > already > > > > > > > > > > > has > > > > > > > > > > > > >> the > > > > > > > > > > > > >> > > > > ability > > > > > > > > > > > > >> > > > > > to > > > > > > > > > > > > >> > > > > > > > configure PrincipalBuilder. That's > > why I > > > > am > > > > > > not > > > > > > > > sure > > > > > > > > > > if > > > > > > > > > > > > >> there > > > > > > > > > > > > >> > is > > > > > > > > > > > > >> > > a > > > > > > > > > > > > >> > > > > need > > > > > > > > > > > > >> > > > > > > for > > > > > > > > > > > > >> > > > > > > > kafka-acl.sh to customize > > > > PrincipalBuilder. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > >> > > > > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > >> > > > > > > > Jun > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > >> > > > > > > > On Mon, Feb 13, 2017 at 7:01 PM, > > radai < > > > > > > > > > > > > >> > > radai.rosenbl...@gmail.com > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > >> > > > > > > > > if i understand correctly, > > > kafka-acls.sh > > > > > > spins > > > > > > > > up > > > > > > > > > an > > > > > > > > > > > > >> instance > > > > > > > > > > > > >> > > of > > > > > > > > > > > > >> > > > > (the > > > > > > > > > > > > >> > > > > > > > > custom, in our case) Authorizer, > and > > > > calls > > > > > > > > things > > > > > > > > > > like > > > > > > > > > > > > >> > > > > addAcls(acls: > > > > > > > > > > > > >> > > > > > > > > Set[Acl], resource: Resource) on > it, > > > > which > > > > > > are > > > > > > > > > > defined > > > > > > > > > > > > in > > > > > > > > > > > > >> the > > > > > > > > > > > > >> > > > > > > interface, > > > > > > > > > > > > >> > > > > > > > > hence expected to be "extensible". > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > (side note: if Authorizer and > > > > > > PrincipalBuilder > > > > > > > > are > > > > > > > > > > > > >> defined as > > > > > > > > > > > > >> > > > > > > extensible > > > > > > > > > > > > >> > > > > > > > > interfaces, why doesnt class Acl, > > > which > > > > is > > > > > > in > > > > > > > > the > > > > > > > > > > > > >> signature > > > > > > > > > > > > >> > for > > > > > > > > > > > > >> > > > > > > > Authorizer > > > > > > > > > > > > >> > > > > > > > > calls, use > java.security.Principal?) > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > we would like to be able to use > the > > > > > standard > > > > > > > > > > kafka-acl > > > > > > > > > > > > >> > command > > > > > > > > > > > > >> > > > line > > > > > > > > > > > > >> > > > > > for > > > > > > > > > > > > >> > > > > > > > > defining ACLs even when replacing > > the > > > > > > vanilla > > > > > > > > > > > Authorizer > > > > > > > > > > > > >> and > > > > > > > > > > > > >> > > > > > > > > PrincipalBuilder (even though we > > have > > > a > > > > > > > > management > > > > > > > > > > UI > > > > > > > > > > > > for > > > > > > > > > > > > >> > these > > > > > > > > > > > > >> > > > > > > > operations > > > > > > > > > > > > >> > > > > > > > > within linkedin) - simply because > > > thats > > > > > the > > > > > > > > > correct > > > > > > > > > > > > thing > > > > > > > > > > > > >> to > > > > > > > > > > > > >> > do > > > > > > > > > > > > >> > > > > from > > > > > > > > > > > > >> > > > > > an > > > > > > > > > > > > >> > > > > > > > > extensibility point of view. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > On Mon, Feb 13, 2017 at 1:39 PM, > Jun > > > > Rao < > > > > > > > > > > > > >> j...@confluent.io> > > > > > > > > > > > > >> > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > Hi, Mayuresh, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > I seems to me that there are two > > > > common > > > > > > use > > > > > > > > > cases > > > > > > > > > > of > > > > > > > > > > > > >> > > > authorizer. > > > > > > > > > > > > >> > > > > > (1) > > > > > > > > > > > > >> > > > > > > > Use > > > > > > > > > > > > >> > > > > > > > > > the default SimpleAuthorizer and > > the > > > > > > > kafka-acl > > > > > > > > > to > > > > > > > > > > do > > > > > > > > > > > > >> > > > > authorization. > > > > > > > > > > > > >> > > > > > > (2) > > > > > > > > > > > > >> > > > > > > > > Use > > > > > > > > > > > > >> > > > > > > > > > a customized authorizer and an > > > > external > > > > > > tool > > > > > > > > for > > > > > > > > > > > > >> > > authorization. > > > > > > > > > > > > >> > > > > Do > > > > > > > > > > > > >> > > > > > > you > > > > > > > > > > > > >> > > > > > > > > > think there is a use case for a > > > > > customized > > > > > > > > > > > authorizer > > > > > > > > > > > > >> and > > > > > > > > > > > > >> > > > > kafka-acl > > > > > > > > > > > > >> > > > > > > at > > > > > > > > > > > > >> > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > same time? If not, it's better > not > > > to > > > > > > > > complicate > > > > > > > > > > the > > > > > > > > > > > > >> > > kafka-acl > > > > > > > > > > > > >> > > > > api. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > Jun > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > On Mon, Feb 13, 2017 at 10:35 > AM, > > > > > Mayuresh > > > > > > > > > Gharat > > > > > > > > > > < > > > > > > > > > > > > >> > > > > > > > > > gharatmayures...@gmail.com> > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > Hi Jun, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > Thanks for the review and > > > comments. > > > > > > Please > > > > > > > > > find > > > > > > > > > > > the > > > > > > > > > > > > >> > replies > > > > > > > > > > > > >> > > > > > inline > > > > > > > > > > > > >> > > > > > > : > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > This is so that in the future, > > we > > > > can > > > > > > > extend > > > > > > > > > to > > > > > > > > > > > > types > > > > > > > > > > > > >> > like > > > > > > > > > > > > >> > > > > group. > > > > > > > > > > > > >> > > > > > > > > > > ---> Yep, I did think the > same. > > > But > > > > > > since > > > > > > > > the > > > > > > > > > > > > >> > SocketServer > > > > > > > > > > > > >> > > > was > > > > > > > > > > > > >> > > > > > > always > > > > > > > > > > > > >> > > > > > > > > > > creating User type, it wasn't > > > > actually > > > > > > > used. > > > > > > > > > If > > > > > > > > > > we > > > > > > > > > > > > go > > > > > > > > > > > > >> > ahead > > > > > > > > > > > > >> > > > > with > > > > > > > > > > > > >> > > > > > > > > changes > > > > > > > > > > > > >> > > > > > > > > > in > > > > > > > > > > > > >> > > > > > > > > > > this KIP, we will give this > > power > > > of > > > > > > > > creating > > > > > > > > > > > > >> different > > > > > > > > > > > > >> > > > > Principal > > > > > > > > > > > > >> > > > > > > > types > > > > > > > > > > > > >> > > > > > > > > > to > > > > > > > > > > > > >> > > > > > > > > > > the PrincipalBuilder (which > > users > > > > can > > > > > > > define > > > > > > > > > > there > > > > > > > > > > > > >> own). > > > > > > > > > > > > >> > In > > > > > > > > > > > > >> > > > > that > > > > > > > > > > > > >> > > > > > > way > > > > > > > > > > > > >> > > > > > > > > > Kafka > > > > > > > > > > > > >> > > > > > > > > > > will not have to deal with > > > handling > > > > > > this. > > > > > > > So > > > > > > > > > the > > > > > > > > > > > > >> > Principal > > > > > > > > > > > > >> > > > > > building > > > > > > > > > > > > >> > > > > > > > and > > > > > > > > > > > > >> > > > > > > > > > > Authorization will be opaque > to > > > > Kafka > > > > > > > which > > > > > > > > > > seems > > > > > > > > > > > > >> like an > > > > > > > > > > > > >> > > > > > expected > > > > > > > > > > > > >> > > > > > > > > > > behavior. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > Hmm, normally, the > > configurations > > > > you > > > > > > > > specify > > > > > > > > > > for > > > > > > > > > > > > >> > plug-ins > > > > > > > > > > > > >> > > > > refer > > > > > > > > > > > > >> > > > > > to > > > > > > > > > > > > >> > > > > > > > > those > > > > > > > > > > > > >> > > > > > > > > > > needed to construct the > plug-in > > > > > object. > > > > > > > So, > > > > > > > > > it's > > > > > > > > > > > > kind > > > > > > > > > > > > >> of > > > > > > > > > > > > >> > > > weird > > > > > > > > > > > > >> > > > > to > > > > > > > > > > > > >> > > > > > > use > > > > > > > > > > > > >> > > > > > > > > > that > > > > > > > > > > > > >> > > > > > > > > > > to call a method. For example, > > why > > > > > can't > > > > > > > > > > > > >> > > > > > > > principalBuilderService.rest. > > > > > > > > > > > > >> > > > > > > > > > url > > > > > > > > > > > > >> > > > > > > > > > > be passed in through the > > > configure() > > > > > > > method > > > > > > > > > and > > > > > > > > > > > the > > > > > > > > > > > > >> > > > > > implementation > > > > > > > > > > > > >> > > > > > > > can > > > > > > > > > > > > >> > > > > > > > > > use > > > > > > > > > > > > >> > > > > > > > > > > that to build principal. This > > way, > > > > > there > > > > > > > is > > > > > > > > > > only a > > > > > > > > > > > > >> single > > > > > > > > > > > > >> > > > > method > > > > > > > > > > > > >> > > > > > to > > > > > > > > > > > > >> > > > > > > > > > compute > > > > > > > > > > > > >> > > > > > > > > > > the principal in a consistent > > way > > > in > > > > > the > > > > > > > > > broker > > > > > > > > > > > and > > > > > > > > > > > > in > > > > > > > > > > > > >> > the > > > > > > > > > > > > >> > > > > > > kafka-acl > > > > > > > > > > > > >> > > > > > > > > > tool. > > > > > > > > > > > > >> > > > > > > > > > > ----> We can do that as well. > > But > > > > > since > > > > > > > the > > > > > > > > > rest > > > > > > > > > > > url > > > > > > > > > > > > >> is > > > > > > > > > > > > >> > not > > > > > > > > > > > > >> > > > > > related > > > > > > > > > > > > >> > > > > > > > to > > > > > > > > > > > > >> > > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > Principal, it seems out of > place > > > to > > > > me > > > > > > to > > > > > > > > pass > > > > > > > > > > it > > > > > > > > > > > > >> every > > > > > > > > > > > > >> > > time > > > > > > > > > > > > >> > > > we > > > > > > > > > > > > >> > > > > > > have > > > > > > > > > > > > >> > > > > > > > to > > > > > > > > > > > > >> > > > > > > > > > > create a Principal. I should > > > replace > > > > > > > > > > > > >> "principalConfigs" > > > > > > > > > > > > >> > > with > > > > > > > > > > > > >> > > > > > > > > > > "principalProperties". > > > > > > > > > > > > >> > > > > > > > > > > I was trying to differentiate > > the > > > > > > > > > > > configs/properties > > > > > > > > > > > > >> that > > > > > > > > > > > > >> > > are > > > > > > > > > > > > >> > > > > > used > > > > > > > > > > > > >> > > > > > > to > > > > > > > > > > > > >> > > > > > > > > > > create the PrincipalBuilder > > class > > > > and > > > > > > the > > > > > > > > > > > > >> > > > Principal/Principals > > > > > > > > > > > > >> > > > > > > > itself. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > For LinkedIn's use case, do > you > > > > > actually > > > > > > > use > > > > > > > > > the > > > > > > > > > > > > >> > kafka-acl > > > > > > > > > > > > >> > > > > tool? > > > > > > > > > > > > >> > > > > > My > > > > > > > > > > > > >> > > > > > > > > > > understanding is that LinkedIn > > > does > > > > > > > > > > authorization > > > > > > > > > > > > >> through > > > > > > > > > > > > >> > > an > > > > > > > > > > > > >> > > > > > > external > > > > > > > > > > > > >> > > > > > > > > > tool. > > > > > > > > > > > > >> > > > > > > > > > > ----> For Linkedin's use case > we > > > > don't > > > > > > > > > actually > > > > > > > > > > > use > > > > > > > > > > > > >> the > > > > > > > > > > > > >> > > > > kafka-acl > > > > > > > > > > > > >> > > > > > > > tool > > > > > > > > > > > > >> > > > > > > > > > > right now. As per the > discussion > > > > that > > > > > we > > > > > > > had > > > > > > > > > on > > > > > > > > > > > > >> > > > > > > > > > > https://issues.apache.org/ > > > > > > > > > > jira/browse/KAFKA-4454, > > > > > > > > > > > > we > > > > > > > > > > > > >> > > thought > > > > > > > > > > > > >> > > > > > that > > > > > > > > > > > > >> > > > > > > it > > > > > > > > > > > > >> > > > > > > > > > would > > > > > > > > > > > > >> > > > > > > > > > > be good to make kafka-acl tool > > > > > changes, > > > > > > to > > > > > > > > > make > > > > > > > > > > it > > > > > > > > > > > > >> > flexible > > > > > > > > > > > > >> > > > and > > > > > > > > > > > > >> > > > > > we > > > > > > > > > > > > >> > > > > > > > > might > > > > > > > > > > > > >> > > > > > > > > > be > > > > > > > > > > > > >> > > > > > > > > > > even able to use it in future. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > It seems it's simpler if > > kafka-acl > > > > > > doesn't > > > > > > > > to > > > > > > > > > > need > > > > > > > > > > > > to > > > > > > > > > > > > >> > > > > understand > > > > > > > > > > > > >> > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > principal builder. The tool > does > > > > > > > > authorization > > > > > > > > > > > based > > > > > > > > > > > > >> on a > > > > > > > > > > > > >> > > > > string > > > > > > > > > > > > >> > > > > > > > name, > > > > > > > > > > > > >> > > > > > > > > > > which is expected to match the > > > > > principal > > > > > > > > name. > > > > > > > > > > > So, I > > > > > > > > > > > > >> am > > > > > > > > > > > > >> > > > > wondering > > > > > > > > > > > > >> > > > > > > why > > > > > > > > > > > > >> > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > tool needs to know the > principal > > > > > > builder. > > > > > > > > > > > > >> > > > > > > > > > > ----> If we don't make this > > > change, > > > > I > > > > > am > > > > > > > not > > > > > > > > > > sure > > > > > > > > > > > > how > > > > > > > > > > > > >> > > > > clients/end > > > > > > > > > > > > >> > > > > > > > users > > > > > > > > > > > > >> > > > > > > > > > > will be able to use this tool > if > > > > they > > > > > > have > > > > > > > > > there > > > > > > > > > > > own > > > > > > > > > > > > >> > > > Authorizer > > > > > > > > > > > > >> > > > > > > that > > > > > > > > > > > > >> > > > > > > > > does > > > > > > > > > > > > >> > > > > > > > > > > Authorization based on > > Principal, > > > > that > > > > > > has > > > > > > > > > more > > > > > > > > > > > > >> > information > > > > > > > > > > > > >> > > > > apart > > > > > > > > > > > > >> > > > > > > > from > > > > > > > > > > > > >> > > > > > > > > > name > > > > > > > > > > > > >> > > > > > > > > > > and type. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > What if we only make the > > following > > > > > > > changes: > > > > > > > > > pass > > > > > > > > > > > the > > > > > > > > > > > > >> java > > > > > > > > > > > > >> > > > > > principal > > > > > > > > > > > > >> > > > > > > > in > > > > > > > > > > > > >> > > > > > > > > > > session and in > > > > > > > > > > > > >> > > > > > > > > > > SimpleAuthorizer, construct > > > > > > KafkaPrincipal > > > > > > > > > from > > > > > > > > > > > java > > > > > > > > > > > > >> > > > principal > > > > > > > > > > > > >> > > > > > > name. > > > > > > > > > > > > >> > > > > > > > > Will > > > > > > > > > > > > >> > > > > > > > > > > that work for LinkedIn? > > > > > > > > > > > > >> > > > > > > > > > > ----> This can work for > Linkedin > > > but > > > > > as > > > > > > > > > > explained > > > > > > > > > > > > >> above, > > > > > > > > > > > > >> > it > > > > > > > > > > > > >> > > > > does > > > > > > > > > > > > >> > > > > > > not > > > > > > > > > > > > >> > > > > > > > > seem > > > > > > > > > > > > >> > > > > > > > > > > like a complete design from > open > > > > > source > > > > > > > > point > > > > > > > > > of > > > > > > > > > > > > view. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > On Thu, Feb 9, 2017 at 11:29 > AM, > > > Jun > > > > > > Rao < > > > > > > > > > > > > >> > j...@confluent.io > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > Hi, Mayuresh, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks for the reply. A few > > more > > > > > > > comments > > > > > > > > > > below. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > On Wed, Feb 8, 2017 at 9:14 > > PM, > > > > > > Mayuresh > > > > > > > > > > Gharat > > > > > > > > > > > < > > > > > > > > > > > > >> > > > > > > > > > > > gharatmayures...@gmail.com> > > > > > > > > > > > > >> > > > > > > > > > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > Hi Jun, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks for the review. > > Please > > > > find > > > > > > the > > > > > > > > > > > responses > > > > > > > > > > > > >> > > inline. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > 1. It seems the problem > that > > > you > > > > > are > > > > > > > > > trying > > > > > > > > > > to > > > > > > > > > > > > >> > address > > > > > > > > > > > > >> > > is > > > > > > > > > > > > >> > > > > > that > > > > > > > > > > > > >> > > > > > > > java > > > > > > > > > > > > >> > > > > > > > > > > > > principal returned from > > > > > KafkaChannel > > > > > > > may > > > > > > > > > > have > > > > > > > > > > > > >> > > additional > > > > > > > > > > > > >> > > > > > fields > > > > > > > > > > > > >> > > > > > > > > than > > > > > > > > > > > > >> > > > > > > > > > > name > > > > > > > > > > > > >> > > > > > > > > > > > > that are needed during > > > > > > authorization. > > > > > > > > Have > > > > > > > > > > you > > > > > > > > > > > > >> > > > considered a > > > > > > > > > > > > >> > > > > > > > > > customized > > > > > > > > > > > > >> > > > > > > > > > > > > PrincipleBuilder that > > extracts > > > > all > > > > > > > > needed > > > > > > > > > > > fields > > > > > > > > > > > > >> from > > > > > > > > > > > > >> > > > java > > > > > > > > > > > > >> > > > > > > > > principal > > > > > > > > > > > > >> > > > > > > > > > > and > > > > > > > > > > > > >> > > > > > > > > > > > > squeezes them as a json in > > the > > > > > name > > > > > > of > > > > > > > > the > > > > > > > > > > > > >> returned > > > > > > > > > > > > >> > > > > > principal? > > > > > > > > > > > > >> > > > > > > > > Then, > > > > > > > > > > > > >> > > > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > > authorizer can just parse > > the > > > > json > > > > > > and > > > > > > > > > > extract > > > > > > > > > > > > >> needed > > > > > > > > > > > > >> > > > > fields. > > > > > > > > > > > > >> > > > > > > > > > > > > ---> Yes we had thought > > about > > > > > this. > > > > > > We > > > > > > > > > use a > > > > > > > > > > > > third > > > > > > > > > > > > >> > > party > > > > > > > > > > > > >> > > > > > > library > > > > > > > > > > > > >> > > > > > > > > that > > > > > > > > > > > > >> > > > > > > > > > > > takes > > > > > > > > > > > > >> > > > > > > > > > > > > in the passed in cert and > > > > creates > > > > > > the > > > > > > > > > > > Principal. > > > > > > > > > > > > >> This > > > > > > > > > > > > >> > > > > > Principal > > > > > > > > > > > > >> > > > > > > > is > > > > > > > > > > > > >> > > > > > > > > > then > > > > > > > > > > > > >> > > > > > > > > > > > > used by the library to > make > > > the > > > > > > > decision > > > > > > > > > > > > >> (ALLOW/DENY) > > > > > > > > > > > > >> > > > when > > > > > > > > > > > > >> > > > > we > > > > > > > > > > > > >> > > > > > > > call > > > > > > > > > > > > >> > > > > > > > > it > > > > > > > > > > > > >> > > > > > > > > > > in > > > > > > > > > > > > >> > > > > > > > > > > > > the Authorizer. It does > not > > > have > > > > > an > > > > > > > API > > > > > > > > to > > > > > > > > > > > > create > > > > > > > > > > > > >> the > > > > > > > > > > > > >> > > > > > Principal > > > > > > > > > > > > >> > > > > > > > > from > > > > > > > > > > > > >> > > > > > > > > > a > > > > > > > > > > > > >> > > > > > > > > > > > > String. If it did support, > > > still > > > > > we > > > > > > > > would > > > > > > > > > > have > > > > > > > > > > > > to > > > > > > > > > > > > >> be > > > > > > > > > > > > >> > > > aware > > > > > > > > > > > > >> > > > > of > > > > > > > > > > > > >> > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > internal > > > > > > > > > > > > >> > > > > > > > > > > > > details of the library, > like > > > the > > > > > > field > > > > > > > > > > values > > > > > > > > > > > it > > > > > > > > > > > > >> > > creates > > > > > > > > > > > > >> > > > > from > > > > > > > > > > > > >> > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > certs, > > > > > > > > > > > > >> > > > > > > > > > > > > defaults and so on. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > 2. Could you explain how > the > > > > > default > > > > > > > > > > > authorizer > > > > > > > > > > > > >> works > > > > > > > > > > > > >> > > > now? > > > > > > > > > > > > >> > > > > > > > > Currently, > > > > > > > > > > > > >> > > > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > > code just compares the two > > > > > principal > > > > > > > > > > objects. > > > > > > > > > > > > Are > > > > > > > > > > > > >> we > > > > > > > > > > > > >> > > > > > converting > > > > > > > > > > > > >> > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > java > > > > > > > > > > > > >> > > > > > > > > > > > > principal to a > > KafkaPrincipal > > > > > there? > > > > > > > > > > > > >> > > > > > > > > > > > > ---> The > SimpleAclAuthorizer > > > > > > currently > > > > > > > > > > expects > > > > > > > > > > > > >> that, > > > > > > > > > > > > >> > > the > > > > > > > > > > > > >> > > > > > > > Principal > > > > > > > > > > > > >> > > > > > > > > it > > > > > > > > > > > > >> > > > > > > > > > > > > fetches from the Session > > > object > > > > is > > > > > > an > > > > > > > > > > instance > > > > > > > > > > > > of > > > > > > > > > > > > >> > > > > > > KafkaPrincipal. > > > > > > > > > > > > >> > > > > > > > > It > > > > > > > > > > > > >> > > > > > > > > > > then > > > > > > > > > > > > >> > > > > > > > > > > > > uses it compare with the > > > > > > > KafkaPrincipal > > > > > > > > > > > > extracted > > > > > > > > > > > > >> > from > > > > > > > > > > > > >> > > > the > > > > > > > > > > > > >> > > > > > > stored > > > > > > > > > > > > >> > > > > > > > > > ACLs. > > > > > > > > > > > > >> > > > > > > > > > > > In > > > > > > > > > > > > >> > > > > > > > > > > > > this case, we can > construct > > > the > > > > > > > > > > KafkaPrincipal > > > > > > > > > > > > >> object > > > > > > > > > > > > >> > > on > > > > > > > > > > > > >> > > > > the > > > > > > > > > > > > >> > > > > > > fly > > > > > > > > > > > > >> > > > > > > > by > > > > > > > > > > > > >> > > > > > > > > > > using > > > > > > > > > > > > >> > > > > > > > > > > > > the name of the Principal > as > > > > > > follows : > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > *val principal = > > > > > session.principal* > > > > > > > > > > > > >> > > > > > > > > > > > > *val kafkaPrincipal = new > > > > > > > > > > > > >> > > KafkaPrincipal(KafkaPrincipal. > > > > > > > > > > > > >> > > > > > > > USER_TYPE, > > > > > > > > > > > > >> > > > > > > > > > > > > principal.getName)* > > > > > > > > > > > > >> > > > > > > > > > > > > I was also planning to get > > rid > > > > of > > > > > > the > > > > > > > > > > > > >> principalType > > > > > > > > > > > > >> > > field > > > > > > > > > > > > >> > > > > in > > > > > > > > > > > > >> > > > > > > > > > > > > KafkaPrincipal as > > > > > > > > > > > > >> > > > > > > > > > > > > it is always set to > > *"*User*"* > > > > in > > > > > > the > > > > > > > > > > > > SocketServer > > > > > > > > > > > > >> > > > > currently. > > > > > > > > > > > > >> > > > > > > > After > > > > > > > > > > > > >> > > > > > > > > > > this > > > > > > > > > > > > >> > > > > > > > > > > > > KIP, it will no longer be > > used > > > > in > > > > > > > > > > > SocketServer. > > > > > > > > > > > > >> But > > > > > > > > > > > > >> > to > > > > > > > > > > > > >> > > > > > maintain > > > > > > > > > > > > >> > > > > > > > > > > backwards > > > > > > > > > > > > >> > > > > > > > > > > > > compatibility of > > > kafka-acls.sh, > > > > I > > > > > > > > > preserved > > > > > > > > > > > it. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > This is so that in the > future, > > > we > > > > > can > > > > > > > > extend > > > > > > > > > > to > > > > > > > > > > > > >> types > > > > > > > > > > > > >> > > like > > > > > > > > > > > > >> > > > > > group. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > 3. Do we need to add the > > > > following > > > > > > > > method > > > > > > > > > in > > > > > > > > > > > > >> > > > > > PrincipalBuilder? > > > > > > > > > > > > >> > > > > > > > The > > > > > > > > > > > > >> > > > > > > > > > > > configs > > > > > > > > > > > > >> > > > > > > > > > > > > are already passed in > > through > > > > > > > > configure() > > > > > > > > > > and > > > > > > > > > > > an > > > > > > > > > > > > >> > > > > > implementation > > > > > > > > > > > > >> > > > > > > > can > > > > > > > > > > > > >> > > > > > > > > > > cache > > > > > > > > > > > > >> > > > > > > > > > > > > it and use it in > > > > buildPrincipal(). > > > > > > > It's > > > > > > > > > also > > > > > > > > > > > not > > > > > > > > > > > > >> > clear > > > > > > > > > > > > >> > > to > > > > > > > > > > > > >> > > > > me > > > > > > > > > > > > >> > > > > > > > where > > > > > > > > > > > > >> > > > > > > > > we > > > > > > > > > > > > >> > > > > > > > > > > > call > > > > > > > > > > > > >> > > > > > > > > > > > > the new and the old > method, > > > and > > > > > > > whether > > > > > > > > > both > > > > > > > > > > > > will > > > > > > > > > > > > >> be > > > > > > > > > > > > >> > > > called > > > > > > > > > > > > >> > > > > > or > > > > > > > > > > > > >> > > > > > > > one > > > > > > > > > > > > >> > > > > > > > > of > > > > > > > > > > > > >> > > > > > > > > > > > them > > > > > > > > > > > > >> > > > > > > > > > > > > will be called. > > > > > > > > > > > > >> > > > > > > > > > > > > Principal > > > > > buildPrincipal(Map<String, > > > > > > > ?> > > > > > > > > > > > > >> > > > principalConfigs); > > > > > > > > > > > > >> > > > > > > > > > > > > ---> My thought was that > the > > > > > > > configure() > > > > > > > > > > > method > > > > > > > > > > > > >> will > > > > > > > > > > > > >> > be > > > > > > > > > > > > >> > > > > used > > > > > > > > > > > > >> > > > > > to > > > > > > > > > > > > >> > > > > > > > > build > > > > > > > > > > > > >> > > > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > > PrincipalBuilder class > > object > > > > > > itself. > > > > > > > It > > > > > > > > > > > follows > > > > > > > > > > > > >> the > > > > > > > > > > > > >> > > same > > > > > > > > > > > > >> > > > > way > > > > > > > > > > > > >> > > > > > > as > > > > > > > > > > > > >> > > > > > > > > > > > Authorizer > > > > > > > > > > > > >> > > > > > > > > > > > > gets configured. The > > > > > > > > > > > buildPrincipal(Map<String, > > > > > > > > > > > > ?> > > > > > > > > > > > > >> > > > > > > > > principalConfigs) > > > > > > > > > > > > >> > > > > > > > > > > will > > > > > > > > > > > > >> > > > > > > > > > > > > be used to build > individual > > > > > > > principals. > > > > > > > > > > > > >> > > > > > > > > > > > > Let me give an example, > with > > > the > > > > > > > > > > > kafka-acls.sh : > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > - bin/kafka-acls.sh > > > > > > > > --principalBuilder > > > > > > > > > > > > >> > > > > > > > > > > > > > userDefinedPackage.kafka. > > > > > > > > > > > > >> > security.PrincipalBuilder > > > > > > > > > > > > >> > > > > > > > > > > > > > > --principalBuilder-properties > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > principalBuilderService.rest.u > > > > > > > rl=URL > > > > > > > > > > > > >> > --authorizer > > > > > > > > > > > > >> > > > > > > > > > > > > kafka.security.auth. > > > > > > > > > SimpleAclAuthorizer > > > > > > > > > > > > >> > > > > > > > --authorizer-properties > > > > > > > > > > > > >> > > > > > > > > > > > > > > > zookeeper.connect=localhost: > > > > > 2181 > > > > > > > > --add > > > > > > > > > > > > >> > > > > --allow-principal > > > > > > > > > > > > >> > > > > > > > > name=bob > > > > > > > > > > > > >> > > > > > > > > > > > > type=USER_PRINCIPAL > > > > > > > --allow-principal > > > > > > > > > > > > >> > > > > > > name=ALPHA-GAMMA-SERVICE > > > > > > > > > > > > >> > > > > > > > > > > > > type=SERVICE_PRINCIPAL > > > > > > > --allow-hosts > > > > > > > > > > > > >> Host1,Host2 > > > > > > > > > > > > >> > > > > > > --operations > > > > > > > > > > > > >> > > > > > > > > > > > Read,Write > > > > > > > > > > > > >> > > > > > > > > > > > > --topic Test-topic > > > > > > > > > > > > >> > > > > > > > > > > > > 1. > > > > > *userDefinedPackage.kafka. > > > > > > > > > > > > >> > > > > > security.PrincipalBuilder* > > > > > > > > > > > > >> > > > > > > is > > > > > > > > > > > > >> > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > user > > > > > > > > > > > > >> > > > > > > > > > > > > defined > > PrincipalBuilder > > > > > > class. > > > > > > > > > > > > >> > > > > > > > > > > > > 2. > > > > > > > *principalBuilderService.rest. > > > > > > > > > > > url=URL* > > > > > > > > > > > > >> can > > > > > > > > > > > > >> > > be a > > > > > > > > > > > > >> > > > > > > remote > > > > > > > > > > > > >> > > > > > > > > > > service > > > > > > > > > > > > >> > > > > > > > > > > > > that provides you an > > > HTTP > > > > > > > endpoint > > > > > > > > > > which > > > > > > > > > > > > >> takes > > > > > > > > > > > > >> > > in a > > > > > > > > > > > > >> > > > > set > > > > > > > > > > > > >> > > > > > > of > > > > > > > > > > > > >> > > > > > > > > > > > > parameters and > > > > > > > > > > > > >> > > > > > > > > > > > > provides you with > the > > > > > > Principal. > > > > > > > > > > > > >> > > > > > > > > > > > > 3. *name=bob > > > > > > > type=USER_PRINCIPAL* > > > > > > > > > can > > > > > > > > > > be > > > > > > > > > > > > >> used > > > > > > > > > > > > >> > by > > > > > > > > > > > > >> > > > > > > > > > PrincipalBuilder > > > > > > > > > > > > >> > > > > > > > > > > > to > > > > > > > > > > > > >> > > > > > > > > > > > > create UserPrincipal > > > with > > > > > name > > > > > > > as > > > > > > > > > bob > > > > > > > > > > > > >> > > > > > > > > > > > > 4. > > > > *name=ALPHA-GAMMA-SERVICE > > > > > > > > > > > > >> > > type=SERVICE_PRINCIPAL > > > > > > > > > > > > >> > > > > > *can > > > > > > > > > > > > >> > > > > > > be > > > > > > > > > > > > >> > > > > > > > > > used > > > > > > > > > > > > >> > > > > > > > > > > by > > > > > > > > > > > > >> > > > > > > > > > > > > PrincipalBuilder to > > > > create a > > > > > > > > > > > > >> ServicePrincipal > > > > > > > > > > > > >> > > with > > > > > > > > > > > > >> > > > > name > > > > > > > > > > > > >> > > > > > > as > > > > > > > > > > > > >> > > > > > > > > > > > > ALPHA-GAMMA-SERVICE. > > > > > > > > > > > > >> > > > > > > > > > > > > - This seems more > > flexible > > > > and > > > > > > > > > intuitive > > > > > > > > > > to > > > > > > > > > > > > me > > > > > > > > > > > > >> > from > > > > > > > > > > > > >> > > > end > > > > > > > > > > > > >> > > > > > > user's > > > > > > > > > > > > >> > > > > > > > > > > > > perspective. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > Hmm, normally, the > > > configurations > > > > > you > > > > > > > > > specify > > > > > > > > > > > for > > > > > > > > > > > > >> > > plug-ins > > > > > > > > > > > > >> > > > > > refer > > > > > > > > > > > > >> > > > > > > to > > > > > > > > > > > > >> > > > > > > > > > those > > > > > > > > > > > > >> > > > > > > > > > > > needed to construct the > > plug-in > > > > > > object. > > > > > > > > So, > > > > > > > > > > it's > > > > > > > > > > > > >> kind > > > > > > > > > > > > >> > of > > > > > > > > > > > > >> > > > > weird > > > > > > > > > > > > >> > > > > > to > > > > > > > > > > > > >> > > > > > > > use > > > > > > > > > > > > >> > > > > > > > > > > that > > > > > > > > > > > > >> > > > > > > > > > > > to call a method. For > example, > > > why > > > > > > can't > > > > > > > > > > > > >> > > > > > > > > principalBuilderService.rest. > > > > > > > > > > > > >> > > > > > > > > > > url > > > > > > > > > > > > >> > > > > > > > > > > > be passed in through the > > > > configure() > > > > > > > > method > > > > > > > > > > and > > > > > > > > > > > > the > > > > > > > > > > > > >> > > > > > > implementation > > > > > > > > > > > > >> > > > > > > > > can > > > > > > > > > > > > >> > > > > > > > > > > use > > > > > > > > > > > > >> > > > > > > > > > > > that to build principal. > This > > > way, > > > > > > there > > > > > > > > is > > > > > > > > > > > only a > > > > > > > > > > > > >> > single > > > > > > > > > > > > >> > > > > > method > > > > > > > > > > > > >> > > > > > > to > > > > > > > > > > > > >> > > > > > > > > > > compute > > > > > > > > > > > > >> > > > > > > > > > > > the principal in a > consistent > > > way > > > > in > > > > > > the > > > > > > > > > > broker > > > > > > > > > > > > and > > > > > > > > > > > > >> in > > > > > > > > > > > > >> > > the > > > > > > > > > > > > >> > > > > > > > kafka-acl > > > > > > > > > > > > >> > > > > > > > > > > tool. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > For LinkedIn's use case, do > > you > > > > > > actually > > > > > > > > use > > > > > > > > > > the > > > > > > > > > > > > >> > > kafka-acl > > > > > > > > > > > > >> > > > > > tool? > > > > > > > > > > > > >> > > > > > > My > > > > > > > > > > > > >> > > > > > > > > > > > understanding is that > LinkedIn > > > > does > > > > > > > > > > > authorization > > > > > > > > > > > > >> > through > > > > > > > > > > > > >> > > > an > > > > > > > > > > > > >> > > > > > > > external > > > > > > > > > > > > >> > > > > > > > > > > tool. > > > > > > > > > > > > >> > > > > > > > > > > > It seems it's simpler if > > > kafka-acl > > > > > > > doesn't > > > > > > > > > to > > > > > > > > > > > need > > > > > > > > > > > > >> to > > > > > > > > > > > > >> > > > > > understand > > > > > > > > > > > > >> > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > principal builder. The tool > > does > > > > > > > > > authorization > > > > > > > > > > > > based > > > > > > > > > > > > >> > on a > > > > > > > > > > > > >> > > > > > string > > > > > > > > > > > > >> > > > > > > > > name, > > > > > > > > > > > > >> > > > > > > > > > > > which is expected to match > the > > > > > > principal > > > > > > > > > name. > > > > > > > > > > > So, > > > > > > > > > > > > >> I am > > > > > > > > > > > > >> > > > > > wondering > > > > > > > > > > > > >> > > > > > > > why > > > > > > > > > > > > >> > > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > tool needs to know the > > principal > > > > > > > builder. > > > > > > > > > What > > > > > > > > > > > if > > > > > > > > > > > > we > > > > > > > > > > > > >> > only > > > > > > > > > > > > >> > > > > make > > > > > > > > > > > > >> > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > following changes: pass the > > java > > > > > > > principal > > > > > > > > > in > > > > > > > > > > > > >> session > > > > > > > > > > > > >> > and > > > > > > > > > > > > >> > > > in > > > > > > > > > > > > >> > > > > > > > > > > > SimpleAuthorizer, construct > > > > > > > KafkaPrincipal > > > > > > > > > > from > > > > > > > > > > > > java > > > > > > > > > > > > >> > > > > principal > > > > > > > > > > > > >> > > > > > > > name. > > > > > > > > > > > > >> > > > > > > > > > Will > > > > > > > > > > > > >> > > > > > > > > > > > that work for LinkedIn? > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > Principal > > > > > buildPrincipal(Map<String, > > > > > > > ?> > > > > > > > > > > > > >> > > principalConfigs) > > > > > > > > > > > > >> > > > > > will > > > > > > > > > > > > >> > > > > > > be > > > > > > > > > > > > >> > > > > > > > > > > called > > > > > > > > > > > > >> > > > > > > > > > > > > from the commandline > client > > > > > > > > kafka-acls.sh > > > > > > > > > > > while > > > > > > > > > > > > >> the > > > > > > > > > > > > >> > > other > > > > > > > > > > > > >> > > > > API > > > > > > > > > > > > >> > > > > > > can > > > > > > > > > > > > >> > > > > > > > > be > > > > > > > > > > > > >> > > > > > > > > > > > called > > > > > > > > > > > > >> > > > > > > > > > > > > at runtime when Kafka > > > receives a > > > > > > > client > > > > > > > > > > > request > > > > > > > > > > > > >> over > > > > > > > > > > > > >> > > > > request > > > > > > > > > > > > >> > > > > > > > > channel. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > 4. The KIP has "If users > use > > > > there > > > > > > > > custom > > > > > > > > > > > > >> > > > PrincipalBuilder, > > > > > > > > > > > > >> > > > > > > they > > > > > > > > > > > > >> > > > > > > > > will > > > > > > > > > > > > >> > > > > > > > > > > > have > > > > > > > > > > > > >> > > > > > > > > > > > > to implement there custom > > > > > Authorizer > > > > > > > as > > > > > > > > > the > > > > > > > > > > > out > > > > > > > > > > > > of > > > > > > > > > > > > >> > box > > > > > > > > > > > > >> > > > > > > Authorizer > > > > > > > > > > > > >> > > > > > > > > > that > > > > > > > > > > > > >> > > > > > > > > > > > > Kafka provides uses > > > > > KafkaPrincipal." > > > > > > > > This > > > > > > > > > is > > > > > > > > > > > not > > > > > > > > > > > > >> > ideal > > > > > > > > > > > > >> > > > for > > > > > > > > > > > > >> > > > > > > > existing > > > > > > > > > > > > >> > > > > > > > > > > > users. > > > > > > > > > > > > >> > > > > > > > > > > > > Could we avoid that? > > > > > > > > > > > > >> > > > > > > > > > > > > ---> Yes, this is possible > > to > > > > > avoid > > > > > > if > > > > > > > > we > > > > > > > > > do > > > > > > > > > > > > >> point 2. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > On Wed, Feb 8, 2017 at > 3:31 > > > PM, > > > > > Jun > > > > > > > Rao > > > > > > > > < > > > > > > > > > > > > >> > > > j...@confluent.io> > > > > > > > > > > > > >> > > > > > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Hi, Mayuresh, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks for the KIP. A > few > > > > > comments > > > > > > > > > below. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 1. It seems the problem > > that > > > > you > > > > > > are > > > > > > > > > > trying > > > > > > > > > > > to > > > > > > > > > > > > >> > > address > > > > > > > > > > > > >> > > > is > > > > > > > > > > > > >> > > > > > > that > > > > > > > > > > > > >> > > > > > > > > java > > > > > > > > > > > > >> > > > > > > > > > > > > > principal returned from > > > > > > KafkaChannel > > > > > > > > may > > > > > > > > > > > have > > > > > > > > > > > > >> > > > additional > > > > > > > > > > > > >> > > > > > > fields > > > > > > > > > > > > >> > > > > > > > > > than > > > > > > > > > > > > >> > > > > > > > > > > > name > > > > > > > > > > > > >> > > > > > > > > > > > > > that are needed during > > > > > > > authorization. > > > > > > > > > Have > > > > > > > > > > > you > > > > > > > > > > > > >> > > > > considered a > > > > > > > > > > > > >> > > > > > > > > > > customized > > > > > > > > > > > > >> > > > > > > > > > > > > > PrincipleBuilder that > > > extracts > > > > > all > > > > > > > > > needed > > > > > > > > > > > > fields > > > > > > > > > > > > >> > from > > > > > > > > > > > > >> > > > > java > > > > > > > > > > > > >> > > > > > > > > > principal > > > > > > > > > > > > >> > > > > > > > > > > > and > > > > > > > > > > > > >> > > > > > > > > > > > > > squeezes them as a json > in > > > the > > > > > > name > > > > > > > of > > > > > > > > > the > > > > > > > > > > > > >> returned > > > > > > > > > > > > >> > > > > > > principal? > > > > > > > > > > > > >> > > > > > > > > > Then, > > > > > > > > > > > > >> > > > > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > > > authorizer can just > parse > > > the > > > > > json > > > > > > > and > > > > > > > > > > > extract > > > > > > > > > > > > >> > needed > > > > > > > > > > > > >> > > > > > fields. > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 2. Could you explain how > > the > > > > > > default > > > > > > > > > > > > authorizer > > > > > > > > > > > > >> > works > > > > > > > > > > > > >> > > > > now? > > > > > > > > > > > > >> > > > > > > > > > Currently, > > > > > > > > > > > > >> > > > > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > > > code just compares the > two > > > > > > principal > > > > > > > > > > > objects. > > > > > > > > > > > > >> Are > > > > > > > > > > > > >> > we > > > > > > > > > > > > >> > > > > > > converting > > > > > > > > > > > > >> > > > > > > > > the > > > > > > > > > > > > >> > > > > > > > > > > > java > > > > > > > > > > > > >> > > > > > > > > > > > > > principal to a > > > KafkaPrincipal > > > > > > there? > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 3. Do we need to add the > > > > > following > > > > > > > > > method > > > > > > > > > > in > > > > > > > > > > > > >> > > > > > > PrincipalBuilder? > > > > > > > > > > > > >> > > > > > > > > The > > > > > > > > > > > > >> > > > > > > > > > > > > configs > > > > > > > > > > > > >> > > > > > > > > > > > > > are already passed in > > > through > > > > > > > > > configure() > > > > > > > > > > > and > > > > > > > > > > > > an > > > > > > > > > > > > >> > > > > > > implementation > > > > > > > > > > > > >> > > > > > > > > can > > > > > > > > > > > > >> > > > > > > > > > > > cache > > > > > > > > > > > > >> > > > > > > > > > > > > > it and use it in > > > > > buildPrincipal(). > > > > > > > > It's > > > > > > > > > > also > > > > > > > > > > > > not > > > > > > > > > > > > >> > > clear > > > > > > > > > > > > >> > > > to > > > > > > > > > > > > >> > > > > > me > > > > > > > > > > > > >> > > > > > > > > where > > > > > > > > > > > > >> > > > > > > > > > we > > > > > > > > > > > > >> > > > > > > > > > > > > call > > > > > > > > > > > > >> > > > > > > > > > > > > > the new and the old > > method, > > > > and > > > > > > > > whether > > > > > > > > > > both > > > > > > > > > > > > >> will > > > > > > > > > > > > >> > be > > > > > > > > > > > > >> > > > > called > > > > > > > > > > > > >> > > > > > > or > > > > > > > > > > > > >> > > > > > > > > one > > > > > > > > > > > > >> > > > > > > > > > of > > > > > > > > > > > > >> > > > > > > > > > > > > them > > > > > > > > > > > > >> > > > > > > > > > > > > > will be called. > > > > > > > > > > > > >> > > > > > > > > > > > > > Principal > > > > > > buildPrincipal(Map<String, > > > > > > > > ?> > > > > > > > > > > > > >> > > > > principalConfigs); > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 4. The KIP has "If users > > use > > > > > there > > > > > > > > > custom > > > > > > > > > > > > >> > > > > PrincipalBuilder, > > > > > > > > > > > > >> > > > > > > > they > > > > > > > > > > > > >> > > > > > > > > > will > > > > > > > > > > > > >> > > > > > > > > > > > > have > > > > > > > > > > > > >> > > > > > > > > > > > > > to implement there > custom > > > > > > Authorizer > > > > > > > > as > > > > > > > > > > the > > > > > > > > > > > > out > > > > > > > > > > > > >> of > > > > > > > > > > > > >> > > box > > > > > > > > > > > > >> > > > > > > > Authorizer > > > > > > > > > > > > >> > > > > > > > > > > that > > > > > > > > > > > > >> > > > > > > > > > > > > > Kafka provides uses > > > > > > KafkaPrincipal." > > > > > > > > > This > > > > > > > > > > is > > > > > > > > > > > > not > > > > > > > > > > > > >> > > ideal > > > > > > > > > > > > >> > > > > for > > > > > > > > > > > > >> > > > > > > > > existing > > > > > > > > > > > > >> > > > > > > > > > > > > users. > > > > > > > > > > > > >> > > > > > > > > > > > > > Could we avoid that? > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Jun > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > On Fri, Feb 3, 2017 at > > 11:25 > > > > AM, > > > > > > > > > Mayuresh > > > > > > > > > > > > >> Gharat < > > > > > > > > > > > > >> > > > > > > > > > > > > > > > gharatmayures...@gmail.com > > > > > > > > > > > > >> > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Hi All, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > It seems that there is > > no > > > > > > further > > > > > > > > > > concern > > > > > > > > > > > > with > > > > > > > > > > > > >> > the > > > > > > > > > > > > >> > > > > > KIP-111. > > > > > > > > > > > > >> > > > > > > > At > > > > > > > > > > > > >> > > > > > > > > > this > > > > > > > > > > > > >> > > > > > > > > > > > > point > > > > > > > > > > > > >> > > > > > > > > > > > > > > we would like to start > > the > > > > > > voting > > > > > > > > > > process. > > > > > > > > > > > > The > > > > > > > > > > > > >> > KIP > > > > > > > > > > > > >> > > > can > > > > > > > > > > > > >> > > > > be > > > > > > > > > > > > >> > > > > > > > found > > > > > > > > > > > > >> > > > > > > > > > at > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > https://cwiki.apache.org/ > > > > > > > > > > > > >> > confluence/pages/viewpage > > > > > > > > > > > > >> > > . > > > > > > > > > > > > >> > > > > > > > > > > > > > action?pageId=67638388 > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Mayuresh > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > -- > > > > > > > > > > > > >> > > > > > > > > > > > > -Regards, > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh R. Gharat > > > > > > > > > > > > >> > > > > > > > > > > > > (862) 250-7125 > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks, > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > Jun > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > -- > > > > > > > > > > > > >> > > > > > > > > > > -Regards, > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh R. Gharat > > > > > > > > > > > > >> > > > > > > > > > > (862) 250-7125 > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > -- > > > > > > > > > > > > >> > > > > -Regards, > > > > > > > > > > > > >> > > > > Mayuresh R. Gharat > > > > > > > > > > > > >> > > > > (862) 250-7125 > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > -- > > > > > > > > > > > > >> > -Regards, > > > > > > > > > > > > >> > Mayuresh R. Gharat > > > > > > > > > > > > >> > (862) 250-7125 > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > -Regards, > > > > > > > > > > > > > Mayuresh R. Gharat > > > > > > > > > > > > > (862) 250-7125 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > -Regards, > > > > > > > > > > > > Mayuresh R. Gharat > > > > > > > > > > > > (862) 250-7125 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > -Regards, > > > > > > > > > > Mayuresh R. Gharat > > > > > > > > > > (862) 250-7125 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > -Regards, > > > > > > > > Mayuresh R. Gharat > > > > > > > > (862) 250-7125 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > -Regards, > > > > > Mayuresh R. Gharat > > > > > (862) 250-7125 > > > > > > > > > > > > > > > > > > > > > -- > > > -Regards, > > > Mayuresh R. Gharat > > > (862) 250-7125 > > > > > > -- -Regards, Mayuresh R. Gharat (862) 250-7125
