Hi Jun,
Sorry for the delayed reply.
I agree that the easiest thing will be to add an additional field in the
Session class and we should be OK.
But having a KafkaPrincipal and java Principal with in the same class looks
little weird.
So we can do this and slowly deprecate the usage of KafkaPrincipal in
public api's.
We add new apis and make changes to the existing apis as follows :
- Changes to Session class :
@Deprecated
case class Session(principal: KafkaPrincipal, clientAddress: InetAddress) {
val sanitizedUser = QuotaId.sanitize(principal.getName)
}
*@Deprecated ...... (NEW)*
*case class Session(principal: KafkaPrincipal, clientAddress: InetAddress,
channelPrincipal: Java.security.Principal) { val sanitizedUser =
QuotaId.sanitize(principal.getName)}*
*(NEW)*
*case class Session(principal: Java.security.Principal, clientAddress:
InetAddress) { val sanitizedUser = QuotaId.sanitize(principal.getName)}*
- Changes to Authorizer Interface :
@Deprecated
def getAcls(principal: KafkaPrincipal): Map[Resource, Set[Acl]]
*(NEW)*
*def getAcls(principal: Java.security.Principal): Map[Resource, Set[Acl]]*
- Changes to Acl class :
@Deprecated
case class Acl(principal: KafkaPrincipal, permissionType: PermissionType,
host: String, operation: Operation)
*(NEW)*
*case class Acl(principal: Java.security.Principal, permissionType:
PermissionType, host: String, operation: Operation) *
The one in Bold are the new api's. We will remove them eventually, probably
in next major release.
We don't want to get rid of KafkaPrincipal class and it will be used in the
same way as it does right now for out of box authorizer and commandline
tool. We would only be removing its direct usage from public apis.
Doing the above deprecation will help us to support other implementation of
Java.security.Principal as well which seems necessary especially since
Kafka provides pluggable Authorizer and PrincipalBuilder.
Let me know your thoughts on this.
Thanks,
Mayuresh
On Tue, Feb 28, 2017 at 2:33 PM, Mayuresh Gharat <gharatmayures...@gmail.com
> wrote:
> Hi Jun,
>
> Sure.
> I had an offline discussion with Joel on how we can deprecate the
> KafkaPrincipal from Session and Authorizer.
> I will update the KIP to see if we can address all the concerns here. If
> not we can keep the KafkaPrincipal.
>
> Thanks,
>
> Mayuresh
>
> On Tue, Feb 28, 2017 at 1:53 PM, Jun Rao <j...@confluent.io> wrote:
>
>> Hi, Joel,
>>
>> Good point on the getAcls() method. KafkaPrincipal is also tied to ACL,
>> which is used in pretty much every method in Authorizer. Now, I am not
>> sure
>> if it's easy to deprecate KafkaPrincipal.
>>
>> Hi, Mayuresh,
>>
>> Given the above, it seems that the easiest thing is to add a new Principal
>> field in Session. We want to make it clear that it's ignored in the
>> default
>> implementation, but a customizer authorizer could take advantage of that.
>>
>> Thanks,
>>
>> Jun
>>
>> On Tue, Feb 28, 2017 at 10:52 AM, Joel Koshy <jjkosh...@gmail.com> wrote:
>>
>> > If we deprecate KafkaPrincipal, then the Authorizer interface will also
>> > need to change - i.e., deprecate the getAcls(KafkaPrincipal) method.
>> >
>> > On Tue, Feb 28, 2017 at 10:11 AM, Mayuresh Gharat <
>> > gharatmayures...@gmail.com> wrote:
>> >
>> > > Hi Jun/Ismael,
>> > >
>> > > Thanks for the comments.
>> > >
>> > > I agree.
>> > > What I was thinking was, we get the KIP passed now and wait till major
>> > > kafka version release. We can then make this change, but for now we
>> can
>> > > wait. Does that work?
>> > >
>> > > If there are concerns, we can make the addition of extra field of type
>> > > Principal to Session and then deprecate the KafkaPrincipal later.
>> > >
>> > > I am fine either ways. What do you think?
>> > >
>> > > Thanks,
>> > >
>> > > Mayuresh
>> > >
>> > > On Tue, Feb 28, 2017 at 9:53 AM, Jun Rao <j...@confluent.io> wrote:
>> > >
>> > > > Hi, Ismael,
>> > > >
>> > > > Good point on compatibility.
>> > > >
>> > > > Hi, Mayuresh,
>> > > >
>> > > > Given that, it seems that it's better to just add the raw principal
>> as
>> > a
>> > > > new field in Session for now and deprecate the KafkaPrincipal field
>> in
>> > > the
>> > > > future if needed?
>> > > >
>> > > > Thanks,
>> > > >
>> > > > Jun
>> > > >
>> > > > On Mon, Feb 27, 2017 at 5:05 PM, Ismael Juma <ism...@juma.me.uk>
>> > wrote:
>> > > >
>> > > > > Breaking clients without a deprecation period is something we
>> only do
>> > > as
>> > > > a
>> > > > > last resort. Is there strong justification for doing it here?
>> > > > >
>> > > > > Ismael
>> > > > >
>> > > > > On Mon, Feb 27, 2017 at 11:28 PM, Mayuresh Gharat <
>> > > > > gharatmayures...@gmail.com> wrote:
>> > > > >
>> > > > > > Hi Ismael,
>> > > > > >
>> > > > > > Yeah. I agree that it might break the clients if the user is
>> using
>> > > the
>> > > > > > kafkaPrincipal directly. But since KafkaPrincipal is also a Java
>> > > > > Principal
>> > > > > > and I think, it would be a right thing to do replace the
>> > > kafkaPrincipal
>> > > > > > with Java Principal at this stage than later.
>> > > > > >
>> > > > > > We can mention in the KIP, that it would break the clients that
>> are
>> > > > using
>> > > > > > the KafkaPrincipal directly and they will have to use the
>> > > PrincipalType
>> > > > > > directly, if they are using it as its only one value and use the
>> > name
>> > > > > from
>> > > > > > the Principal directly or create a KafkaPrincipal from Java
>> > Principal
>> > > > as
>> > > > > we
>> > > > > > are doing in SimpleAclAuthorizer with this KIP.
>> > > > > >
>> > > > > > Thanks,
>> > > > > >
>> > > > > > Mayuresh
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > On Mon, Feb 27, 2017 at 10:56 AM, Ismael Juma <
>> ism...@juma.me.uk>
>> > > > wrote:
>> > > > > >
>> > > > > > > Hi Mayuresh,
>> > > > > > >
>> > > > > > > Sorry for the delay. The updated KIP states that there is no
>> > > > > > compatibility
>> > > > > > > impact, but that doesn't seem right. The fact that we changed
>> the
>> > > > type
>> > > > > of
>> > > > > > > Session.principal to `Principal` means that any code that
>> expects
>> > > it
>> > > > to
>> > > > > > be
>> > > > > > > `KafkaPrincipal` will break. Either because of declared types
>> > > > (likely)
>> > > > > or
>> > > > > > > if it accesses `getPrincipalType` (unlikely since the value is
>> > > always
>> > > > > the
>> > > > > > > same). It's a bit annoying, but we should add a new field to
>> > > > `Session`
>> > > > > > with
>> > > > > > > the original principal. We can potentially deprecate the
>> existing
>> > > > one,
>> > > > > if
>> > > > > > > we're sure we don't need it (or we can leave it for now).
>> > > > > > >
>> > > > > > > Ismael
>> > > > > > >
>> > > > > > > On Mon, Feb 27, 2017 at 6:40 PM, Mayuresh Gharat <
>> > > > > > > gharatmayures...@gmail.com
>> > > > > > > > wrote:
>> > > > > > >
>> > > > > > > > Hi Ismael, Joel, Becket
>> > > > > > > >
>> > > > > > > > Would you mind taking a look at this. We require 2 more
>> binding
>> > > > votes
>> > > > > > for
>> > > > > > > > the KIP to pass.
>> > > > > > > >
>> > > > > > > > Thanks,
>> > > > > > > >
>> > > > > > > > Mayuresh
>> > > > > > > >
>> > > > > > > > On Thu, Feb 23, 2017 at 10:57 AM, Dong Lin <
>> > lindon...@gmail.com>
>> > > > > > wrote:
>> > > > > > > >
>> > > > > > > > > +1 (non-binding)
>> > > > > > > > >
>> > > > > > > > > On Wed, Feb 22, 2017 at 10:52 PM, Manikumar <
>> > > > > > manikumar.re...@gmail.com
>> > > > > > > >
>> > > > > > > > > wrote:
>> > > > > > > > >
>> > > > > > > > > > +1 (non-binding)
>> > > > > > > > > >
>> > > > > > > > > > On Thu, Feb 23, 2017 at 3:27 AM, Mayuresh Gharat <
>> > > > > > > > > > gharatmayures...@gmail.com
>> > > > > > > > > > > wrote:
>> > > > > > > > > >
>> > > > > > > > > > > Hi Jun,
>> > > > > > > > > > >
>> > > > > > > > > > > Thanks a lot for the comments and reviews.
>> > > > > > > > > > > I agree we should log the username.
>> > > > > > > > > > > What I meant by creating KafkaPrincipal was, after
>> this
>> > KIP
>> > > > we
>> > > > > > > would
>> > > > > > > > > not
>> > > > > > > > > > be
>> > > > > > > > > > > required to create KafkaPrincipal and if we want to
>> > > maintain
>> > > > > the
>> > > > > > > old
>> > > > > > > > > > > logging, we will have to create it as we do today.
>> > > > > > > > > > > I will take care that we specify the Principal name in
>> > the
>> > > > log.
>> > > > > > > > > > >
>> > > > > > > > > > > Thanks again for all the reviews.
>> > > > > > > > > > >
>> > > > > > > > > > > Thanks,
>> > > > > > > > > > >
>> > > > > > > > > > > Mayuresh
>> > > > > > > > > > >
>> > > > > > > > > > > On Wed, Feb 22, 2017 at 1:45 PM, Jun Rao <
>> > j...@confluent.io
>> > > >
>> > > > > > wrote:
>> > > > > > > > > > >
>> > > > > > > > > > > > Hi, Mayuresh,
>> > > > > > > > > > > >
>> > > > > > > > > > > > For logging the user name, we could do either way.
>> We
>> > > just
>> > > > > need
>> > > > > > > to
>> > > > > > > > > make
>> > > > > > > > > > > > sure the expected user name is logged. Also,
>> currently,
>> > > we
>> > > > > are
>> > > > > > > > > already
>> > > > > > > > > > > > creating a KafkaPrincipal on every request. +1 on
>> the
>> > > > latest
>> > > > > > KIP.
>> > > > > > > > > > > >
>> > > > > > > > > > > > Thanks,
>> > > > > > > > > > > >
>> > > > > > > > > > > > Jun
>> > > > > > > > > > > >
>> > > > > > > > > > > >
>> > > > > > > > > > > > On Tue, Feb 21, 2017 at 8:05 PM, Mayuresh Gharat <
>> > > > > > > > > > > > gharatmayures...@gmail.com
>> > > > > > > > > > > > > wrote:
>> > > > > > > > > > > >
>> > > > > > > > > > > > > Hi Jun,
>> > > > > > > > > > > > >
>> > > > > > > > > > > > > Thanks for the comments.
>> > > > > > > > > > > > >
>> > > > > > > > > > > > > I will mention in the KIP : how this change
>> doesn't
>> > > > affect
>> > > > > > the
>> > > > > > > > > > default
>> > > > > > > > > > > > > authorizer implementation.
>> > > > > > > > > > > > >
>> > > > > > > > > > > > > Regarding, Currently, we log the principal name in
>> > the
>> > > > > > request
>> > > > > > > > log
>> > > > > > > > > in
>> > > > > > > > > > > > > RequestChannel, which has the format of
>> > "principalType
>> > > +
>> > > > > > > > SEPARATOR
>> > > > > > > > > +
>> > > > > > > > > > > > > name;".
>> > > > > > > > > > > > > It would be good if we can keep the same
>> convention
>> > > after
>> > > > > > this
>> > > > > > > > KIP.
>> > > > > > > > > > One
>> > > > > > > > > > > > way
>> > > > > > > > > > > > > to do that is to convert java.security.Principal
>> to
>> > > > > > > > KafkaPrincipal
>> > > > > > > > > > for
>> > > > > > > > > > > > > logging the requests.
>> > > > > > > > > > > > > --- > This would mean we have to create a new
>> > > > > KafkaPrincipal
>> > > > > > on
>> > > > > > > > > each
>> > > > > > > > > > > > > request. Would it be OK to just specify the name
>> of
>> > the
>> > > > > > > > principal.
>> > > > > > > > > > > > > Is there any major reason, we don't want to change
>> > the
>> > > > > > logging
>> > > > > > > > > > format?
>> > > > > > > > > > > > >
>> > > > > > > > > > > > > Thanks,
>> > > > > > > > > > > > >
>> > > > > > > > > > > > > Mayuresh
>> > > > > > > > > > > > >
>> > > > > > > > > > > > >
>> > > > > > > > > > > > >
>> > > > > > > > > > > > > On Mon, Feb 20, 2017 at 10:18 PM, Jun Rao <
>> > > > > j...@confluent.io>
>> > > > > > > > > wrote:
>> > > > > > > > > > > > >
>> > > > > > > > > > > > > > Hi, Mayuresh,
>> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > Thanks for the updated KIP. A couple of more
>> > > comments.
>> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > 1. Do we convert java.security.Principal to
>> > > > > KafkaPrincipal
>> > > > > > > for
>> > > > > > > > > > > > > > authorization check in SimpleAclAuthorizer? If
>> so,
>> > it
>> > > > > would
>> > > > > > > be
>> > > > > > > > > > useful
>> > > > > > > > > > > > to
>> > > > > > > > > > > > > > mention that in the wiki so that people can
>> > > understand
>> > > > > how
>> > > > > > > this
>> > > > > > > > > > > change
>> > > > > > > > > > > > > > doesn't affect the default authorizer
>> > implementation.
>> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > 2. Currently, we log the principal name in the
>> > > request
>> > > > > log
>> > > > > > in
>> > > > > > > > > > > > > > RequestChannel, which has the format of
>> > > "principalType
>> > > > +
>> > > > > > > > > SEPARATOR
>> > > > > > > > > > +
>> > > > > > > > > > > > > > name;".
>> > > > > > > > > > > > > > It would be good if we can keep the same
>> convention
>> > > > after
>> > > > > > > this
>> > > > > > > > > KIP.
>> > > > > > > > > > > One
>> > > > > > > > > > > > > way
>> > > > > > > > > > > > > > to do that is to convert
>> java.security.Principal to
>> > > > > > > > > KafkaPrincipal
>> > > > > > > > > > > for
>> > > > > > > > > > > > > > logging the requests.
>> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > Jun
>> > > > > > > > > > > > > >
>> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 5:35 PM, Mayuresh
>> Gharat <
>> > > > > > > > > > > > > > gharatmayures...@gmail.com
>> > > > > > > > > > > > > > > wrote:
>> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > Hi Jun,
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > I have updated the KIP. Would you mind taking
>> > > another
>> > > > > > look?
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > Mayuresh
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 4:42 PM, Mayuresh
>> Gharat
>> > <
>> > > > > > > > > > > > > > > gharatmayures...@gmail.com
>> > > > > > > > > > > > > > > > wrote:
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > > Hi Jun,
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > > Sure sounds good to me.
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > > Mayuresh
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 1:54 PM, Jun Rao <
>> > > > > > > j...@confluent.io
>> > > > > > > > >
>> > > > > > > > > > > wrote:
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> Hi, Mani,
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >> Good point on using PrincipalBuilder for
>> SASL.
>> > > It
>> > > > > > seems
>> > > > > > > > that
>> > > > > > > > > > > > > > > >> PrincipalBuilder already has access to
>> > > > > Authenticator.
>> > > > > > > So,
>> > > > > > > > we
>> > > > > > > > > > > could
>> > > > > > > > > > > > > > just
>> > > > > > > > > > > > > > > >> enable that in SaslChannelBuilder. We
>> probably
>> > > > could
>> > > > > > do
>> > > > > > > > that
>> > > > > > > > > > in
>> > > > > > > > > > > a
>> > > > > > > > > > > > > > > separate
>> > > > > > > > > > > > > > > >> KIP?
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >> Hi, Mayuresh,
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >> If you don't think there is a concrete use
>> > case
>> > > > for
>> > > > > > > using
>> > > > > > > > > > > > > > > >> PrincipalBuilder in
>> > > > > > > > > > > > > > > >> kafka-acls.sh, perhaps we could do the
>> simpler
>> > > > > > approach
>> > > > > > > > for
>> > > > > > > > > > now?
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >> Thanks,
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >> Jun
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >> On Fri, Feb 17, 2017 at 12:23 PM, Mayuresh
>> > > Gharat
>> > > > <
>> > > > > > > > > > > > > > > >> gharatmayures...@gmail.com> wrote:
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >> > @Manikumar,
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> > Can you give an example how you are
>> planning
>> > > to
>> > > > > use
>> > > > > > > > > > > > > > PrincipalBuilder?
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> > @Jun
>> > > > > > > > > > > > > > > >> > Yes, that is right. To give a brief
>> > overview,
>> > > we
>> > > > > > just
>> > > > > > > > > > extract
>> > > > > > > > > > > > the
>> > > > > > > > > > > > > > cert
>> > > > > > > > > > > > > > > >> and
>> > > > > > > > > > > > > > > >> > hand it over to a third party library for
>> > > > > creating a
>> > > > > > > > > > > Principal.
>> > > > > > > > > > > > So
>> > > > > > > > > > > > > > we
>> > > > > > > > > > > > > > > >> > cannot create a Principal from just a
>> > string.
>> > > > > > > > > > > > > > > >> > The main motive behind adding the
>> > > > PrincipalBuilder
>> > > > > > for
>> > > > > > > > > > > > > kafk-acls.sh
>> > > > > > > > > > > > > > > was
>> > > > > > > > > > > > > > > >> > that someone else (who can generate a
>> > > Principal
>> > > > > from
>> > > > > > > map
>> > > > > > > > > of
>> > > > > > > > > > > > > > propertie,
>> > > > > > > > > > > > > > > >> > <String, String> for example) can use it.
>> > > > > > > > > > > > > > > >> > As I said, Linkedin is fine with not
>> making
>> > > any
>> > > > > > > changes
>> > > > > > > > to
>> > > > > > > > > > > > > > > Kafka-acls.sh
>> > > > > > > > > > > > > > > >> > for now. But we thought that it would be
>> a
>> > > good
>> > > > > > > > > improvement
>> > > > > > > > > > to
>> > > > > > > > > > > > the
>> > > > > > > > > > > > > > > tool
>> > > > > > > > > > > > > > > >> and
>> > > > > > > > > > > > > > > >> > it makes it more flexible and usable.
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> > Let us know your thoughts, if you would
>> like
>> > > us
>> > > > to
>> > > > > > > make
>> > > > > > > > > > > > > > kafka-acls.sh
>> > > > > > > > > > > > > > > >> more
>> > > > > > > > > > > > > > > >> > flexible and usable and not limited to
>> > > > Authorizer
>> > > > > > > coming
>> > > > > > > > > out
>> > > > > > > > > > > of
>> > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > box.
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> > Thanks,
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> > Mayuresh
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> > On Thu, Feb 16, 2017 at 10:18 PM,
>> Manikumar
>> > <
>> > > > > > > > > > > > > > > manikumar.re...@gmail.com>
>> > > > > > > > > > > > > > > >> > wrote:
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> > > Hi Jun,
>> > > > > > > > > > > > > > > >> > >
>> > > > > > > > > > > > > > > >> > > yes, we can just customize rules to
>> send
>> > > full
>> > > > > > > > principal
>> > > > > > > > > > > > name. I
>> > > > > > > > > > > > > > was
>> > > > > > > > > > > > > > > >> > > just thinking to
>> > > > > > > > > > > > > > > >> > > use PrinciplaBuilder interface for
>> > > > implementing
>> > > > > > SASL
>> > > > > > > > > rules
>> > > > > > > > > > > > also.
>> > > > > > > > > > > > > > So
>> > > > > > > > > > > > > > > >> that
>> > > > > > > > > > > > > > > >> > > the interface
>> > > > > > > > > > > > > > > >> > > will be consistent across protocols.
>> > > > > > > > > > > > > > > >> > >
>> > > > > > > > > > > > > > > >> > > Thanks
>> > > > > > > > > > > > > > > >> > >
>> > > > > > > > > > > > > > > >> > > On Fri, Feb 17, 2017 at 1:07 AM, Jun
>> Rao <
>> > > > > > > > > > j...@confluent.io>
>> > > > > > > > > > > > > > wrote:
>> > > > > > > > > > > > > > > >> > >
>> > > > > > > > > > > > > > > >> > > > Hi, Radai, Mayuresh,
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > > Thanks for the explanation. Good
>> point
>> > on
>> > > a
>> > > > > > > > pluggable
>> > > > > > > > > > > > > authorizer
>> > > > > > > > > > > > > > > can
>> > > > > > > > > > > > > > > >> > > > customize how acls are added.
>> However,
>> > > > > earlier,
>> > > > > > > > > Mayuresh
>> > > > > > > > > > > was
>> > > > > > > > > > > > > > > saying
>> > > > > > > > > > > > > > > >> > that
>> > > > > > > > > > > > > > > >> > > in
>> > > > > > > > > > > > > > > >> > > > LinkedIn's customized authorizer,
>> it's
>> > not
>> > > > > > > possible
>> > > > > > > > to
>> > > > > > > > > > > > create
>> > > > > > > > > > > > > a
>> > > > > > > > > > > > > > > >> > principal
>> > > > > > > > > > > > > > > >> > > > from string. If that's the case, will
>> > > adding
>> > > > > the
>> > > > > > > > > > principal
>> > > > > > > > > > > > > > builder
>> > > > > > > > > > > > > > > >> in
>> > > > > > > > > > > > > > > >> > > > kafka-acl.sh help? If the principal
>> can
>> > be
>> > > > > > > > constructed
>> > > > > > > > > > > from
>> > > > > > > > > > > > a
>> > > > > > > > > > > > > > > >> string,
>> > > > > > > > > > > > > > > >> > > > wouldn't it be simpler to just let
>> > > > > kafka-acl.sh
>> > > > > > do
>> > > > > > > > > > > > > authorization
>> > > > > > > > > > > > > > > >> based
>> > > > > > > > > > > > > > > >> > on
>> > > > > > > > > > > > > > > >> > > > that string name and not be aware of
>> the
>> > > > > > principal
>> > > > > > > > > > > builder?
>> > > > > > > > > > > > If
>> > > > > > > > > > > > > > you
>> > > > > > > > > > > > > > > >> > still
>> > > > > > > > > > > > > > > >> > > > think there is a need, perhaps you
>> can
>> > > add a
>> > > > > > more
>> > > > > > > > > > concrete
>> > > > > > > > > > > > use
>> > > > > > > > > > > > > > > case
>> > > > > > > > > > > > > > > >> > that
>> > > > > > > > > > > > > > > >> > > > can't be done otherwise?
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > > Hi, Mani,
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > > For SASL, if the authorizer needs the
>> > full
>> > > > > > > kerberos
>> > > > > > > > > > > > principal
>> > > > > > > > > > > > > > > name,
>> > > > > > > > > > > > > > > >> > > > currently, the user can just
>> customize "
>> > > > > > > > > > > > > > > sasl.kerberos.principal.to.
>> > > > > > > > > > > > > > > >> > > > local.rules"
>> > > > > > > > > > > > > > > >> > > > to return the full principal name as
>> the
>> > > > name
>> > > > > > for
>> > > > > > > > > > > > > authorization,
>> > > > > > > > > > > > > > > >> right?
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > > Thanks,
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > > Jun
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > > On Wed, Feb 15, 2017 at 10:25 AM,
>> > Mayuresh
>> > > > > > Gharat
>> > > > > > > <
>> > > > > > > > > > > > > > > >> > > > gharatmayures...@gmail.com> wrote:
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > > > @Jun thanks for the comments.Please
>> > see
>> > > > the
>> > > > > > > > replies
>> > > > > > > > > > > > inline.
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > Currently kafka-acl.sh just
>> creates an
>> > > ACL
>> > > > > > path
>> > > > > > > in
>> > > > > > > > > ZK
>> > > > > > > > > > > with
>> > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > principal
>> > > > > > > > > > > > > > > >> > > > > name string.
>> > > > > > > > > > > > > > > >> > > > > ----> Yes, the kafka-acl.sh calls
>> the
>> > > > > addAcl()
>> > > > > > > on
>> > > > > > > > > the
>> > > > > > > > > > > > > inbuilt
>> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer which in turn
>> > > creates
>> > > > an
>> > > > > > ACL
>> > > > > > > > in
>> > > > > > > > > ZK
>> > > > > > > > > > > > with
>> > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > Principal
>> > > > > > > > > > > > > > > >> > > > > name string. This is because we
>> supply
>> > > the
>> > > > > > > > > > > > > SimpleAclAuthorizer
>> > > > > > > > > > > > > > > as
>> > > > > > > > > > > > > > > >> a
>> > > > > > > > > > > > > > > >> > > > > commandline argument in the
>> > > Kafka-acls.sh
>> > > > > > > command.
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > The authorizer module in the broker
>> > > reads
>> > > > > the
>> > > > > > > > > > principal
>> > > > > > > > > > > > name
>> > > > > > > > > > > > > > > >> > > > > string from the acl path in ZK and
>> > > creates
>> > > > > the
>> > > > > > > > > > expected
>> > > > > > > > > > > > > > > >> > KafkaPrincipal
>> > > > > > > > > > > > > > > >> > > > for
>> > > > > > > > > > > > > > > >> > > > > matching. As you can see, the
>> expected
>> > > > > > principal
>> > > > > > > > is
>> > > > > > > > > > > > created
>> > > > > > > > > > > > > on
>> > > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > broker
>> > > > > > > > > > > > > > > >> > > > > side, not by the kafka-acl.sh tool.
>> > > > > > > > > > > > > > > >> > > > > ----> This is considering the fact
>> > that
>> > > > the
>> > > > > > user
>> > > > > > > > is
>> > > > > > > > > > > using
>> > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer on the broker
>> side
>> > > and
>> > > > > not
>> > > > > > > his
>> > > > > > > > > own
>> > > > > > > > > > > > > custom
>> > > > > > > > > > > > > > > >> > > Authorizer.
>> > > > > > > > > > > > > > > >> > > > > The SimpleAclAuthorizer will take
>> the
>> > > > > > Principal
>> > > > > > > it
>> > > > > > > > > > gets
>> > > > > > > > > > > > from
>> > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > Session
>> > > > > > > > > > > > > > > >> > > > > class . Currently the Principal is
>> > > > > > > KafkaPrincipal.
>> > > > > > > > > > This
>> > > > > > > > > > > > > > > >> > KafkaPrincipal
>> > > > > > > > > > > > > > > >> > > is
>> > > > > > > > > > > > > > > >> > > > > generated from the name of the
>> actual
>> > > > > channel
>> > > > > > > > > > Principal,
>> > > > > > > > > > > > in
>> > > > > > > > > > > > > > > >> > > SocketServer
>> > > > > > > > > > > > > > > >> > > > > class when processing completed
>> > > receives.
>> > > > > > > > > > > > > > > >> > > > > With this KIP, this will no longer
>> be
>> > > the
>> > > > > case
>> > > > > > > as
>> > > > > > > > > the
>> > > > > > > > > > > > > Session
>> > > > > > > > > > > > > > > >> class
>> > > > > > > > > > > > > > > >> > > will
>> > > > > > > > > > > > > > > >> > > > > store a java.security.Principal
>> > instead
>> > > of
>> > > > > > > > specific
>> > > > > > > > > > > > > > > >> KafkaPrincipal.
>> > > > > > > > > > > > > > > >> > So
>> > > > > > > > > > > > > > > >> > > > the
>> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer will construct
>> the
>> > > > > > > > > KafkaPrincipal
>> > > > > > > > > > > from
>> > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > channel
>> > > > > > > > > > > > > > > >> > > > > Principal it gets from the Session
>> > > class.
>> > > > > > > > > > > > > > > >> > > > > User might not want to use the
>> > > > > > > SimpleAclAuthorizer
>> > > > > > > > > but
>> > > > > > > > > > > use
>> > > > > > > > > > > > > > > his/her
>> > > > > > > > > > > > > > > >> > own
>> > > > > > > > > > > > > > > >> > > > > custom Authorizer.
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > The broker already has the ability
>> to
>> > > > > > > > > > > > > > > >> > > > > configure PrincipalBuilder. That's
>> > why I
>> > > > am
>> > > > > > not
>> > > > > > > > sure
>> > > > > > > > > > if
>> > > > > > > > > > > > > there
>> > > > > > > > > > > > > > > is a
>> > > > > > > > > > > > > > > >> > need
>> > > > > > > > > > > > > > > >> > > > for
>> > > > > > > > > > > > > > > >> > > > > kafka-acl.sh to customize
>> > > > PrincipalBuilder.
>> > > > > > > > > > > > > > > >> > > > > ----> This is exactly the reason
>> why
>> > we
>> > > > want
>> > > > > > to
>> > > > > > > > > > propose
>> > > > > > > > > > > a
>> > > > > > > > > > > > > > > >> > > > PrincipalBuilder
>> > > > > > > > > > > > > > > >> > > > > in kafka-acls.sh so that the
>> Principal
>> > > > > > generated
>> > > > > > > > by
>> > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > PrincipalBuilder
>> > > > > > > > > > > > > > > >> > > > on
>> > > > > > > > > > > > > > > >> > > > > broker is consistent with that
>> > generated
>> > > > > while
>> > > > > > > > > > creating
>> > > > > > > > > > > > ACLs
>> > > > > > > > > > > > > > > using
>> > > > > > > > > > > > > > > >> > the
>> > > > > > > > > > > > > > > >> > > > > kafka-acls.sh command line tool.
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > *To summarize the above
>> discussions :*
>> > > > > > > > > > > > > > > >> > > > > What if we only make the following
>> > > > changes:
>> > > > > > pass
>> > > > > > > > the
>> > > > > > > > > > > java
>> > > > > > > > > > > > > > > >> principal
>> > > > > > > > > > > > > > > >> > in
>> > > > > > > > > > > > > > > >> > > > > session and in
>> > > > > > > > > > > > > > > >> > > > > SimpleAuthorizer, construct
>> > > KafkaPrincipal
>> > > > > > from
>> > > > > > > > java
>> > > > > > > > > > > > > principal
>> > > > > > > > > > > > > > > >> name.
>> > > > > > > > > > > > > > > >> > > Will
>> > > > > > > > > > > > > > > >> > > > > that work for LinkedIn?
>> > > > > > > > > > > > > > > >> > > > > ------> Yes, this works for
>> Linkedin
>> > as
>> > > we
>> > > > > are
>> > > > > > > not
>> > > > > > > > > > using
>> > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > kafka-acls.sh
>> > > > > > > > > > > > > > > >> > > > > tool to create/update/add ACLs, for
>> > now.
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > Do you think there is a use case
>> for a
>> > > > > > > customized
>> > > > > > > > > > > > authorizer
>> > > > > > > > > > > > > > and
>> > > > > > > > > > > > > > > >> > > > kafka-acl
>> > > > > > > > > > > > > > > >> > > > > at the
>> > > > > > > > > > > > > > > >> > > > > same time? If not, it's better not
>> to
>> > > > > > complicate
>> > > > > > > > the
>> > > > > > > > > > > > > kafka-acl
>> > > > > > > > > > > > > > > >> api.
>> > > > > > > > > > > > > > > >> > > > > -----> At Linkedin, we don't use
>> this
>> > > tool
>> > > > > for
>> > > > > > > > now.
>> > > > > > > > > So
>> > > > > > > > > > > we
>> > > > > > > > > > > > > are
>> > > > > > > > > > > > > > > fine
>> > > > > > > > > > > > > > > >> > with
>> > > > > > > > > > > > > > > >> > > > the
>> > > > > > > > > > > > > > > >> > > > > minimal change for now.
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > Initially, our change was minimal,
>> > just
>> > > > > > getting
>> > > > > > > > the
>> > > > > > > > > > > Kafka
>> > > > > > > > > > > > to
>> > > > > > > > > > > > > > > >> preserve
>> > > > > > > > > > > > > > > >> > > the
>> > > > > > > > > > > > > > > >> > > > > channel principal. Since there was
>> a
>> > > > > > discussion
>> > > > > > > > how
>> > > > > > > > > > > > > > > kafka-acls.sh
>> > > > > > > > > > > > > > > >> > would
>> > > > > > > > > > > > > > > >> > > > > work with this change, on the
>> ticket,
>> > we
>> > > > > > > designed
>> > > > > > > > a
>> > > > > > > > > > > > detailed
>> > > > > > > > > > > > > > > >> solution
>> > > > > > > > > > > > > > > >> > > to
>> > > > > > > > > > > > > > > >> > > > > make this tool generally usable
>> with
>> > all
>> > > > > sorts
>> > > > > > > of
>> > > > > > > > > > > > > combinations
>> > > > > > > > > > > > > > > of
>> > > > > > > > > > > > > > > >> > > > > Authorizers and PrincipalBuilders
>> and
>> > > give
>> > > > > > more
>> > > > > > > > > > > > flexibility
>> > > > > > > > > > > > > to
>> > > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > end
>> > > > > > > > > > > > > > > >> > > > > users.
>> > > > > > > > > > > > > > > >> > > > > Without the changes proposed for
>> > > > > kafka-acls.sh
>> > > > > > > in
>> > > > > > > > > this
>> > > > > > > > > > > > KIP,
>> > > > > > > > > > > > > it
>> > > > > > > > > > > > > > > >> cannot
>> > > > > > > > > > > > > > > >> > > be
>> > > > > > > > > > > > > > > >> > > > > used with a custom
>> > > > > Authorizer/PrinipalBuilder
>> > > > > > > but
>> > > > > > > > > will
>> > > > > > > > > > > > only
>> > > > > > > > > > > > > > work
>> > > > > > > > > > > > > > > >> with
>> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer.
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > Although, I would actually like it
>> to
>> > > work
>> > > > > for
>> > > > > > > > > general
>> > > > > > > > > > > > > > scenario,
>> > > > > > > > > > > > > > > >> I am
>> > > > > > > > > > > > > > > >> > > > fine
>> > > > > > > > > > > > > > > >> > > > > with separating it under a separate
>> > KIP
>> > > > and
>> > > > > > > limit
>> > > > > > > > > the
>> > > > > > > > > > > > scope
>> > > > > > > > > > > > > of
>> > > > > > > > > > > > > > > >> this
>> > > > > > > > > > > > > > > >> > > KIP.
>> > > > > > > > > > > > > > > >> > > > > I will update the KIP accordingly
>> and
>> > > put
>> > > > > this
>> > > > > > > > under
>> > > > > > > > > > > > > rejected
>> > > > > > > > > > > > > > > >> > > > alternatives
>> > > > > > > > > > > > > > > >> > > > > and create a new KIP for the
>> > > Kafka-acls.sh
>> > > > > > > > changes.
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > @Manikumar
>> > > > > > > > > > > > > > > >> > > > > Since we are limiting the scope of
>> > this
>> > > > KIP
>> > > > > by
>> > > > > > > not
>> > > > > > > > > > > making
>> > > > > > > > > > > > > any
>> > > > > > > > > > > > > > > >> changes
>> > > > > > > > > > > > > > > >> > > to
>> > > > > > > > > > > > > > > >> > > > > kafka-acls.sh, I will cover your
>> > concern
>> > > > in
>> > > > > a
>> > > > > > > > > separate
>> > > > > > > > > > > KIP
>> > > > > > > > > > > > > > that
>> > > > > > > > > > > > > > > I
>> > > > > > > > > > > > > > > >> > will
>> > > > > > > > > > > > > > > >> > > > put
>> > > > > > > > > > > > > > > >> > > > > up for kafka-acls.sh. Does that
>> work?
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > Mayuresh
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > On Wed, Feb 15, 2017 at 9:18 AM,
>> > radai <
>> > > > > > > > > > > > > > > >> radai.rosenbl...@gmail.com>
>> > > > > > > > > > > > > > > >> > > > wrote:
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > > @jun:
>> > > > > > > > > > > > > > > >> > > > > > "Currently kafka-acl.sh just
>> creates
>> > > an
>> > > > > ACL
>> > > > > > > path
>> > > > > > > > > in
>> > > > > > > > > > ZK
>> > > > > > > > > > > > > with
>> > > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > principal
>> > > > > > > > > > > > > > > >> > > > > > name string" - yes, but not
>> > directly.
>> > > > all
>> > > > > it
>> > > > > > > > > > actually
>> > > > > > > > > > > > does
>> > > > > > > > > > > > > > it
>> > > > > > > > > > > > > > > >> > spin-up
>> > > > > > > > > > > > > > > >> > > > the
>> > > > > > > > > > > > > > > >> > > > > > Authorizer and call
>> > > Authorizer.addAcl()
>> > > > on
>> > > > > > it.
>> > > > > > > > > > > > > > > >> > > > > > the vanilla Authorizer goes to
>> ZK.
>> > > > > > > > > > > > > > > >> > > > > > but generally speaking, users can
>> > plug
>> > > > in
>> > > > > > > their
>> > > > > > > > > own
>> > > > > > > > > > > > > > > Authorizers
>> > > > > > > > > > > > > > > >> > (that
>> > > > > > > > > > > > > > > >> > > > can
>> > > > > > > > > > > > > > > >> > > > > > store/load ACLs to/from
>> wherever).
>> > > > > > > > > > > > > > > >> > > > > >
>> > > > > > > > > > > > > > > >> > > > > > it would be nice if users who
>> > > customize
>> > > > > > > > > Authorizers
>> > > > > > > > > > > (and
>> > > > > > > > > > > > > > > >> > > > > PrincipalBuilders)
>> > > > > > > > > > > > > > > >> > > > > > did not immediately lose the
>> ability
>> > > to
>> > > > > use
>> > > > > > > > > > > kafka-acl.sh
>> > > > > > > > > > > > > > with
>> > > > > > > > > > > > > > > >> their
>> > > > > > > > > > > > > > > >> > > new
>> > > > > > > > > > > > > > > >> > > > > > Authorizers.
>> > > > > > > > > > > > > > > >> > > > > >
>> > > > > > > > > > > > > > > >> > > > > > On Wed, Feb 15, 2017 at 5:50 AM,
>> > > > > Manikumar <
>> > > > > > > > > > > > > > > >> > > manikumar.re...@gmail.com>
>> > > > > > > > > > > > > > > >> > > > > > wrote:
>> > > > > > > > > > > > > > > >> > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > Sorry, I am late to this
>> > discussion.
>> > > > > > > > > > > > > > > >> > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > PrincipalBuilder is only used
>> for
>> > > SSL
>> > > > > > > > Protocol.
>> > > > > > > > > > > > > > > >> > > > > > > For SASL, we use "
>> > > > > > > sasl.kerberos.principal.to.
>> > > > > > > > > > > > > local.rules"
>> > > > > > > > > > > > > > > >> config
>> > > > > > > > > > > > > > > >> > > to
>> > > > > > > > > > > > > > > >> > > > > map
>> > > > > > > > > > > > > > > >> > > > > > > SASL principal names to short
>> > names.
>> > > > To
>> > > > > > make
>> > > > > > > > it
>> > > > > > > > > > > > > > consistent,
>> > > > > > > > > > > > > > > >> > > > > > > Do we also need to pass the
>> SASL
>> > > full
>> > > > > > > > principal
>> > > > > > > > > > name
>> > > > > > > > > > > > to
>> > > > > > > > > > > > > > > >> > authorizer
>> > > > > > > > > > > > > > > >> > > ?
>> > > > > > > > > > > > > > > >> > > > > > > We may need to use
>> > PrincipalBuilder
>> > > > for
>> > > > > > > > mapping
>> > > > > > > > > > SASL
>> > > > > > > > > > > > > > names.
>> > > > > > > > > > > > > > > >> > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > Related JIRA is here:
>> > > > > > > > > > > > > > > >> > > > > > > https://issues.apache.org/
>> > > > > > > > > jira/browse/KAFKA-2854
>> > > > > > > > > > > > > > > >> > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > On Wed, Feb 15, 2017 at 7:47
>> AM,
>> > Jun
>> > > > > Rao <
>> > > > > > > > > > > > > > j...@confluent.io>
>> > > > > > > > > > > > > > > >> > wrote:
>> > > > > > > > > > > > > > > >> > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > Hi, Radai,
>> > > > > > > > > > > > > > > >> > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > Currently kafka-acl.sh just
>> > > creates
>> > > > an
>> > > > > > ACL
>> > > > > > > > > path
>> > > > > > > > > > in
>> > > > > > > > > > > > ZK
>> > > > > > > > > > > > > > with
>> > > > > > > > > > > > > > > >> the
>> > > > > > > > > > > > > > > >> > > > > > principal
>> > > > > > > > > > > > > > > >> > > > > > > > name string. The authorizer
>> > module
>> > > > in
>> > > > > > the
>> > > > > > > > > broker
>> > > > > > > > > > > > reads
>> > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > principal
>> > > > > > > > > > > > > > > >> > > > > > name
>> > > > > > > > > > > > > > > >> > > > > > > > string from the acl path in
>> ZK
>> > and
>> > > > > > creates
>> > > > > > > > the
>> > > > > > > > > > > > > expected
>> > > > > > > > > > > > > > > >> > > > > KafkaPrincipal
>> > > > > > > > > > > > > > > >> > > > > > > for
>> > > > > > > > > > > > > > > >> > > > > > > > matching. As you can see, the
>> > > > expected
>> > > > > > > > > principal
>> > > > > > > > > > > is
>> > > > > > > > > > > > > > > created
>> > > > > > > > > > > > > > > >> on
>> > > > > > > > > > > > > > > >> > > the
>> > > > > > > > > > > > > > > >> > > > > > broker
>> > > > > > > > > > > > > > > >> > > > > > > > side, not by the kafka-acl.sh
>> > > tool.
>> > > > > The
>> > > > > > > > broker
>> > > > > > > > > > > > already
>> > > > > > > > > > > > > > has
>> > > > > > > > > > > > > > > >> the
>> > > > > > > > > > > > > > > >> > > > > ability
>> > > > > > > > > > > > > > > >> > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > configure PrincipalBuilder.
>> > That's
>> > > > > why I
>> > > > > > > am
>> > > > > > > > > not
>> > > > > > > > > > > sure
>> > > > > > > > > > > > > if
>> > > > > > > > > > > > > > > >> there
>> > > > > > > > > > > > > > > >> > is
>> > > > > > > > > > > > > > > >> > > a
>> > > > > > > > > > > > > > > >> > > > > need
>> > > > > > > > > > > > > > > >> > > > > > > for
>> > > > > > > > > > > > > > > >> > > > > > > > kafka-acl.sh to customize
>> > > > > > > PrincipalBuilder.
>> > > > > > > > > > > > > > > >> > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > Jun
>> > > > > > > > > > > > > > > >> > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > On Mon, Feb 13, 2017 at 7:01
>> PM,
>> > > > > radai <
>> > > > > > > > > > > > > > > >> > > radai.rosenbl...@gmail.com
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > > > wrote:
>> > > > > > > > > > > > > > > >> > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > if i understand correctly,
>> > > > > > kafka-acls.sh
>> > > > > > > > > spins
>> > > > > > > > > > > up
>> > > > > > > > > > > > an
>> > > > > > > > > > > > > > > >> instance
>> > > > > > > > > > > > > > > >> > > of
>> > > > > > > > > > > > > > > >> > > > > (the
>> > > > > > > > > > > > > > > >> > > > > > > > > custom, in our case)
>> > Authorizer,
>> > > > and
>> > > > > > > calls
>> > > > > > > > > > > things
>> > > > > > > > > > > > > like
>> > > > > > > > > > > > > > > >> > > > > addAcls(acls:
>> > > > > > > > > > > > > > > >> > > > > > > > > Set[Acl], resource:
>> Resource)
>> > on
>> > > > it,
>> > > > > > > which
>> > > > > > > > > are
>> > > > > > > > > > > > > defined
>> > > > > > > > > > > > > > > in
>> > > > > > > > > > > > > > > >> the
>> > > > > > > > > > > > > > > >> > > > > > > interface,
>> > > > > > > > > > > > > > > >> > > > > > > > > hence expected to be
>> > > "extensible".
>> > > > > > > > > > > > > > > >> > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > (side note: if Authorizer
>> and
>> > > > > > > > > PrincipalBuilder
>> > > > > > > > > > > are
>> > > > > > > > > > > > > > > >> defined as
>> > > > > > > > > > > > > > > >> > > > > > > extensible
>> > > > > > > > > > > > > > > >> > > > > > > > > interfaces, why doesnt
>> class
>> > > Acl,
>> > > > > > which
>> > > > > > > is
>> > > > > > > > > in
>> > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> signature
>> > > > > > > > > > > > > > > >> > for
>> > > > > > > > > > > > > > > >> > > > > > > > Authorizer
>> > > > > > > > > > > > > > > >> > > > > > > > > calls, use
>> > > > java.security.Principal?)
>> > > > > > > > > > > > > > > >> > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > we would like to be able to
>> > use
>> > > > the
>> > > > > > > > standard
>> > > > > > > > > > > > > kafka-acl
>> > > > > > > > > > > > > > > >> > command
>> > > > > > > > > > > > > > > >> > > > line
>> > > > > > > > > > > > > > > >> > > > > > for
>> > > > > > > > > > > > > > > >> > > > > > > > > defining ACLs even when
>> > > replacing
>> > > > > the
>> > > > > > > > > vanilla
>> > > > > > > > > > > > > > Authorizer
>> > > > > > > > > > > > > > > >> and
>> > > > > > > > > > > > > > > >> > > > > > > > > PrincipalBuilder (even
>> though
>> > we
>> > > > > have
>> > > > > > a
>> > > > > > > > > > > management
>> > > > > > > > > > > > > UI
>> > > > > > > > > > > > > > > for
>> > > > > > > > > > > > > > > >> > these
>> > > > > > > > > > > > > > > >> > > > > > > > operations
>> > > > > > > > > > > > > > > >> > > > > > > > > within linkedin) - simply
>> > > because
>> > > > > > thats
>> > > > > > > > the
>> > > > > > > > > > > > correct
>> > > > > > > > > > > > > > > thing
>> > > > > > > > > > > > > > > >> to
>> > > > > > > > > > > > > > > >> > do
>> > > > > > > > > > > > > > > >> > > > > from
>> > > > > > > > > > > > > > > >> > > > > > an
>> > > > > > > > > > > > > > > >> > > > > > > > > extensibility point of
>> view.
>> > > > > > > > > > > > > > > >> > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > On Mon, Feb 13, 2017 at
>> 1:39
>> > PM,
>> > > > Jun
>> > > > > > > Rao <
>> > > > > > > > > > > > > > > >> j...@confluent.io>
>> > > > > > > > > > > > > > > >> > > > wrote:
>> > > > > > > > > > > > > > > >> > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > Hi, Mayuresh,
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > I seems to me that there
>> are
>> > > two
>> > > > > > > common
>> > > > > > > > > use
>> > > > > > > > > > > > cases
>> > > > > > > > > > > > > of
>> > > > > > > > > > > > > > > >> > > > authorizer.
>> > > > > > > > > > > > > > > >> > > > > > (1)
>> > > > > > > > > > > > > > > >> > > > > > > > Use
>> > > > > > > > > > > > > > > >> > > > > > > > > > the default
>> SimpleAuthorizer
>> > > and
>> > > > > the
>> > > > > > > > > > kafka-acl
>> > > > > > > > > > > > to
>> > > > > > > > > > > > > do
>> > > > > > > > > > > > > > > >> > > > > authorization.
>> > > > > > > > > > > > > > > >> > > > > > > (2)
>> > > > > > > > > > > > > > > >> > > > > > > > > Use
>> > > > > > > > > > > > > > > >> > > > > > > > > > a customized authorizer
>> and
>> > an
>> > > > > > > external
>> > > > > > > > > tool
>> > > > > > > > > > > for
>> > > > > > > > > > > > > > > >> > > authorization.
>> > > > > > > > > > > > > > > >> > > > > Do
>> > > > > > > > > > > > > > > >> > > > > > > you
>> > > > > > > > > > > > > > > >> > > > > > > > > > think there is a use case
>> > for
>> > > a
>> > > > > > > > customized
>> > > > > > > > > > > > > > authorizer
>> > > > > > > > > > > > > > > >> and
>> > > > > > > > > > > > > > > >> > > > > kafka-acl
>> > > > > > > > > > > > > > > >> > > > > > > at
>> > > > > > > > > > > > > > > >> > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > same time? If not, it's
>> > better
>> > > > not
>> > > > > > to
>> > > > > > > > > > > complicate
>> > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > kafka-acl
>> > > > > > > > > > > > > > > >> > > > > api.
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > Jun
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > On Mon, Feb 13, 2017 at
>> > 10:35
>> > > > AM,
>> > > > > > > > Mayuresh
>> > > > > > > > > > > > Gharat
>> > > > > > > > > > > > > <
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> gharatmayures...@gmail.com>
>> > > > > wrote:
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Hi Jun,
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Thanks for the review
>> and
>> > > > > > comments.
>> > > > > > > > > Please
>> > > > > > > > > > > > find
>> > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > replies
>> > > > > > > > > > > > > > > >> > > > > > inline
>> > > > > > > > > > > > > > > >> > > > > > > :
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > This is so that in the
>> > > future,
>> > > > > we
>> > > > > > > can
>> > > > > > > > > > extend
>> > > > > > > > > > > > to
>> > > > > > > > > > > > > > > types
>> > > > > > > > > > > > > > > >> > like
>> > > > > > > > > > > > > > > >> > > > > group.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > ---> Yep, I did think
>> the
>> > > > same.
>> > > > > > But
>> > > > > > > > > since
>> > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > SocketServer
>> > > > > > > > > > > > > > > >> > > > was
>> > > > > > > > > > > > > > > >> > > > > > > always
>> > > > > > > > > > > > > > > >> > > > > > > > > > > creating User type, it
>> > > wasn't
>> > > > > > > actually
>> > > > > > > > > > used.
>> > > > > > > > > > > > If
>> > > > > > > > > > > > > we
>> > > > > > > > > > > > > > > go
>> > > > > > > > > > > > > > > >> > ahead
>> > > > > > > > > > > > > > > >> > > > > with
>> > > > > > > > > > > > > > > >> > > > > > > > > changes
>> > > > > > > > > > > > > > > >> > > > > > > > > > in
>> > > > > > > > > > > > > > > >> > > > > > > > > > > this KIP, we will give
>> > this
>> > > > > power
>> > > > > > of
>> > > > > > > > > > > creating
>> > > > > > > > > > > > > > > >> different
>> > > > > > > > > > > > > > > >> > > > > Principal
>> > > > > > > > > > > > > > > >> > > > > > > > types
>> > > > > > > > > > > > > > > >> > > > > > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > > > the PrincipalBuilder
>> > (which
>> > > > > users
>> > > > > > > can
>> > > > > > > > > > define
>> > > > > > > > > > > > > there
>> > > > > > > > > > > > > > > >> own).
>> > > > > > > > > > > > > > > >> > In
>> > > > > > > > > > > > > > > >> > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > way
>> > > > > > > > > > > > > > > >> > > > > > > > > > Kafka
>> > > > > > > > > > > > > > > >> > > > > > > > > > > will not have to deal
>> with
>> > > > > > handling
>> > > > > > > > > this.
>> > > > > > > > > > So
>> > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > Principal
>> > > > > > > > > > > > > > > >> > > > > > building
>> > > > > > > > > > > > > > > >> > > > > > > > and
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Authorization will be
>> > opaque
>> > > > to
>> > > > > > > Kafka
>> > > > > > > > > > which
>> > > > > > > > > > > > > seems
>> > > > > > > > > > > > > > > >> like an
>> > > > > > > > > > > > > > > >> > > > > > expected
>> > > > > > > > > > > > > > > >> > > > > > > > > > > behavior.
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Hmm, normally, the
>> > > > > configurations
>> > > > > > > you
>> > > > > > > > > > > specify
>> > > > > > > > > > > > > for
>> > > > > > > > > > > > > > > >> > plug-ins
>> > > > > > > > > > > > > > > >> > > > > refer
>> > > > > > > > > > > > > > > >> > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > those
>> > > > > > > > > > > > > > > >> > > > > > > > > > > needed to construct the
>> > > > plug-in
>> > > > > > > > object.
>> > > > > > > > > > So,
>> > > > > > > > > > > > it's
>> > > > > > > > > > > > > > > kind
>> > > > > > > > > > > > > > > >> of
>> > > > > > > > > > > > > > > >> > > > weird
>> > > > > > > > > > > > > > > >> > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > use
>> > > > > > > > > > > > > > > >> > > > > > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > > > > > to call a method. For
>> > > example,
>> > > > > why
>> > > > > > > > can't
>> > > > > > > > > > > > > > > >> > > > > > > > principalBuilderService.rest.
>> > > > > > > > > > > > > > > >> > > > > > > > > > url
>> > > > > > > > > > > > > > > >> > > > > > > > > > > be passed in through
>> the
>> > > > > > configure()
>> > > > > > > > > > method
>> > > > > > > > > > > > and
>> > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > implementation
>> > > > > > > > > > > > > > > >> > > > > > > > can
>> > > > > > > > > > > > > > > >> > > > > > > > > > use
>> > > > > > > > > > > > > > > >> > > > > > > > > > > that to build
>> principal.
>> > > This
>> > > > > way,
>> > > > > > > > there
>> > > > > > > > > > is
>> > > > > > > > > > > > > only a
>> > > > > > > > > > > > > > > >> single
>> > > > > > > > > > > > > > > >> > > > > method
>> > > > > > > > > > > > > > > >> > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > > compute
>> > > > > > > > > > > > > > > >> > > > > > > > > > > the principal in a
>> > > consistent
>> > > > > way
>> > > > > > in
>> > > > > > > > the
>> > > > > > > > > > > > broker
>> > > > > > > > > > > > > > and
>> > > > > > > > > > > > > > > in
>> > > > > > > > > > > > > > > >> > the
>> > > > > > > > > > > > > > > >> > > > > > > kafka-acl
>> > > > > > > > > > > > > > > >> > > > > > > > > > tool.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> We can do that as
>> > > well.
>> > > > > But
>> > > > > > > > since
>> > > > > > > > > > the
>> > > > > > > > > > > > rest
>> > > > > > > > > > > > > > url
>> > > > > > > > > > > > > > > >> is
>> > > > > > > > > > > > > > > >> > not
>> > > > > > > > > > > > > > > >> > > > > > related
>> > > > > > > > > > > > > > > >> > > > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Principal, it seems
>> out of
>> > > > place
>> > > > > > to
>> > > > > > > me
>> > > > > > > > > to
>> > > > > > > > > > > pass
>> > > > > > > > > > > > > it
>> > > > > > > > > > > > > > > >> every
>> > > > > > > > > > > > > > > >> > > time
>> > > > > > > > > > > > > > > >> > > > we
>> > > > > > > > > > > > > > > >> > > > > > > have
>> > > > > > > > > > > > > > > >> > > > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > > > create a Principal. I
>> > should
>> > > > > > replace
>> > > > > > > > > > > > > > > >> "principalConfigs"
>> > > > > > > > > > > > > > > >> > > with
>> > > > > > > > > > > > > > > >> > > > > > > > > > > "principalProperties".
>> > > > > > > > > > > > > > > >> > > > > > > > > > > I was trying to
>> > > differentiate
>> > > > > the
>> > > > > > > > > > > > > > configs/properties
>> > > > > > > > > > > > > > > >> that
>> > > > > > > > > > > > > > > >> > > are
>> > > > > > > > > > > > > > > >> > > > > > used
>> > > > > > > > > > > > > > > >> > > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > > > create the
>> > PrincipalBuilder
>> > > > > class
>> > > > > > > and
>> > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > Principal/Principals
>> > > > > > > > > > > > > > > >> > > > > > > > itself.
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > For LinkedIn's use
>> case,
>> > do
>> > > > you
>> > > > > > > > actually
>> > > > > > > > > > use
>> > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > kafka-acl
>> > > > > > > > > > > > > > > >> > > > > tool?
>> > > > > > > > > > > > > > > >> > > > > > My
>> > > > > > > > > > > > > > > >> > > > > > > > > > > understanding is that
>> > > LinkedIn
>> > > > > > does
>> > > > > > > > > > > > > authorization
>> > > > > > > > > > > > > > > >> through
>> > > > > > > > > > > > > > > >> > > an
>> > > > > > > > > > > > > > > >> > > > > > > external
>> > > > > > > > > > > > > > > >> > > > > > > > > > tool.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> For Linkedin's
>> use
>> > > case
>> > > > we
>> > > > > > > don't
>> > > > > > > > > > > > actually
>> > > > > > > > > > > > > > use
>> > > > > > > > > > > > > > > >> the
>> > > > > > > > > > > > > > > >> > > > > kafka-acl
>> > > > > > > > > > > > > > > >> > > > > > > > tool
>> > > > > > > > > > > > > > > >> > > > > > > > > > > right now. As per the
>> > > > discussion
>> > > > > > > that
>> > > > > > > > we
>> > > > > > > > > > had
>> > > > > > > > > > > > on
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > https://issues.apache.org/
>> > > > > > > > > > > > > jira/browse/KAFKA-4454,
>> > > > > > > > > > > > > > > we
>> > > > > > > > > > > > > > > >> > > thought
>> > > > > > > > > > > > > > > >> > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > it
>> > > > > > > > > > > > > > > >> > > > > > > > > > would
>> > > > > > > > > > > > > > > >> > > > > > > > > > > be good to make
>> kafka-acl
>> > > tool
>> > > > > > > > changes,
>> > > > > > > > > to
>> > > > > > > > > > > > make
>> > > > > > > > > > > > > it
>> > > > > > > > > > > > > > > >> > flexible
>> > > > > > > > > > > > > > > >> > > > and
>> > > > > > > > > > > > > > > >> > > > > > we
>> > > > > > > > > > > > > > > >> > > > > > > > > might
>> > > > > > > > > > > > > > > >> > > > > > > > > > be
>> > > > > > > > > > > > > > > >> > > > > > > > > > > even able to use it in
>> > > future.
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > It seems it's simpler
>> if
>> > > > > kafka-acl
>> > > > > > > > > doesn't
>> > > > > > > > > > > to
>> > > > > > > > > > > > > need
>> > > > > > > > > > > > > > > to
>> > > > > > > > > > > > > > > >> > > > > understand
>> > > > > > > > > > > > > > > >> > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > principal builder. The
>> > tool
>> > > > does
>> > > > > > > > > > > authorization
>> > > > > > > > > > > > > > based
>> > > > > > > > > > > > > > > >> on a
>> > > > > > > > > > > > > > > >> > > > > string
>> > > > > > > > > > > > > > > >> > > > > > > > name,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > which is expected to
>> match
>> > > the
>> > > > > > > > principal
>> > > > > > > > > > > name.
>> > > > > > > > > > > > > > So, I
>> > > > > > > > > > > > > > > >> am
>> > > > > > > > > > > > > > > >> > > > > wondering
>> > > > > > > > > > > > > > > >> > > > > > > why
>> > > > > > > > > > > > > > > >> > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > tool needs to know the
>> > > > principal
>> > > > > > > > > builder.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> If we don't make
>> > this
>> > > > > > change,
>> > > > > > > I
>> > > > > > > > am
>> > > > > > > > > > not
>> > > > > > > > > > > > > sure
>> > > > > > > > > > > > > > > how
>> > > > > > > > > > > > > > > >> > > > > clients/end
>> > > > > > > > > > > > > > > >> > > > > > > > users
>> > > > > > > > > > > > > > > >> > > > > > > > > > > will be able to use
>> this
>> > > tool
>> > > > if
>> > > > > > > they
>> > > > > > > > > have
>> > > > > > > > > > > > there
>> > > > > > > > > > > > > > own
>> > > > > > > > > > > > > > > >> > > > Authorizer
>> > > > > > > > > > > > > > > >> > > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > > > does
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Authorization based on
>> > > > > Principal,
>> > > > > > > that
>> > > > > > > > > has
>> > > > > > > > > > > > more
>> > > > > > > > > > > > > > > >> > information
>> > > > > > > > > > > > > > > >> > > > > apart
>> > > > > > > > > > > > > > > >> > > > > > > > from
>> > > > > > > > > > > > > > > >> > > > > > > > > > name
>> > > > > > > > > > > > > > > >> > > > > > > > > > > and type.
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > What if we only make
>> the
>> > > > > following
>> > > > > > > > > > changes:
>> > > > > > > > > > > > pass
>> > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> java
>> > > > > > > > > > > > > > > >> > > > > > principal
>> > > > > > > > > > > > > > > >> > > > > > > > in
>> > > > > > > > > > > > > > > >> > > > > > > > > > > session and in
>> > > > > > > > > > > > > > > >> > > > > > > > > > > SimpleAuthorizer,
>> > construct
>> > > > > > > > > KafkaPrincipal
>> > > > > > > > > > > > from
>> > > > > > > > > > > > > > java
>> > > > > > > > > > > > > > > >> > > > principal
>> > > > > > > > > > > > > > > >> > > > > > > name.
>> > > > > > > > > > > > > > > >> > > > > > > > > Will
>> > > > > > > > > > > > > > > >> > > > > > > > > > > that work for LinkedIn?
>> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> This can work for
>> > > > Linkedin
>> > > > > > but
>> > > > > > > > as
>> > > > > > > > > > > > > explained
>> > > > > > > > > > > > > > > >> above,
>> > > > > > > > > > > > > > > >> > it
>> > > > > > > > > > > > > > > >> > > > > does
>> > > > > > > > > > > > > > > >> > > > > > > not
>> > > > > > > > > > > > > > > >> > > > > > > > > seem
>> > > > > > > > > > > > > > > >> > > > > > > > > > > like a complete design
>> > from
>> > > > open
>> > > > > > > > source
>> > > > > > > > > > > point
>> > > > > > > > > > > > of
>> > > > > > > > > > > > > > > view.
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > On Thu, Feb 9, 2017 at
>> > 11:29
>> > > > AM,
>> > > > > > Jun
>> > > > > > > > > Rao <
>> > > > > > > > > > > > > > > >> > j...@confluent.io
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > > > > > wrote:
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > Hi, Mayuresh,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks for the
>> reply. A
>> > > few
>> > > > > more
>> > > > > > > > > > comments
>> > > > > > > > > > > > > below.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > On Wed, Feb 8, 2017
>> at
>> > > 9:14
>> > > > > PM,
>> > > > > > > > > Mayuresh
>> > > > > > > > > > > > > Gharat
>> > > > > > > > > > > > > > <
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > gharatmayures...@gmail.com>
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > wrote:
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Hi Jun,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks for the
>> review.
>> > > > > Please
>> > > > > > > find
>> > > > > > > > > the
>> > > > > > > > > > > > > > responses
>> > > > > > > > > > > > > > > >> > > inline.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 1. It seems the
>> > problem
>> > > > that
>> > > > > > you
>> > > > > > > > are
>> > > > > > > > > > > > trying
>> > > > > > > > > > > > > to
>> > > > > > > > > > > > > > > >> > address
>> > > > > > > > > > > > > > > >> > > is
>> > > > > > > > > > > > > > > >> > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > > java
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > principal returned
>> > from
>> > > > > > > > KafkaChannel
>> > > > > > > > > > may
>> > > > > > > > > > > > > have
>> > > > > > > > > > > > > > > >> > > additional
>> > > > > > > > > > > > > > > >> > > > > > fields
>> > > > > > > > > > > > > > > >> > > > > > > > > than
>> > > > > > > > > > > > > > > >> > > > > > > > > > > name
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > that are needed
>> during
>> > > > > > > > > authorization.
>> > > > > > > > > > > Have
>> > > > > > > > > > > > > you
>> > > > > > > > > > > > > > > >> > > > considered a
>> > > > > > > > > > > > > > > >> > > > > > > > > > customized
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > PrincipleBuilder
>> that
>> > > > > extracts
>> > > > > > > all
>> > > > > > > > > > > needed
>> > > > > > > > > > > > > > fields
>> > > > > > > > > > > > > > > >> from
>> > > > > > > > > > > > > > > >> > > > java
>> > > > > > > > > > > > > > > >> > > > > > > > > principal
>> > > > > > > > > > > > > > > >> > > > > > > > > > > and
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > squeezes them as a
>> > json
>> > > in
>> > > > > the
>> > > > > > > > name
>> > > > > > > > > of
>> > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> returned
>> > > > > > > > > > > > > > > >> > > > > > principal?
>> > > > > > > > > > > > > > > >> > > > > > > > > Then,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > authorizer can just
>> > > parse
>> > > > > the
>> > > > > > > json
>> > > > > > > > > and
>> > > > > > > > > > > > > extract
>> > > > > > > > > > > > > > > >> needed
>> > > > > > > > > > > > > > > >> > > > > fields.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> Yes we had
>> > thought
>> > > > > about
>> > > > > > > > this.
>> > > > > > > > > We
>> > > > > > > > > > > > use a
>> > > > > > > > > > > > > > > third
>> > > > > > > > > > > > > > > >> > > party
>> > > > > > > > > > > > > > > >> > > > > > > library
>> > > > > > > > > > > > > > > >> > > > > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > takes
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > in the passed in
>> cert
>> > > and
>> > > > > > > creates
>> > > > > > > > > the
>> > > > > > > > > > > > > > Principal.
>> > > > > > > > > > > > > > > >> This
>> > > > > > > > > > > > > > > >> > > > > > Principal
>> > > > > > > > > > > > > > > >> > > > > > > > is
>> > > > > > > > > > > > > > > >> > > > > > > > > > then
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > used by the
>> library to
>> > > > make
>> > > > > > the
>> > > > > > > > > > decision
>> > > > > > > > > > > > > > > >> (ALLOW/DENY)
>> > > > > > > > > > > > > > > >> > > > when
>> > > > > > > > > > > > > > > >> > > > > we
>> > > > > > > > > > > > > > > >> > > > > > > > call
>> > > > > > > > > > > > > > > >> > > > > > > > > it
>> > > > > > > > > > > > > > > >> > > > > > > > > > > in
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the Authorizer. It
>> > does
>> > > > not
>> > > > > > have
>> > > > > > > > an
>> > > > > > > > > > API
>> > > > > > > > > > > to
>> > > > > > > > > > > > > > > create
>> > > > > > > > > > > > > > > >> the
>> > > > > > > > > > > > > > > >> > > > > > Principal
>> > > > > > > > > > > > > > > >> > > > > > > > > from
>> > > > > > > > > > > > > > > >> > > > > > > > > > a
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > String. If it did
>> > > support,
>> > > > > > still
>> > > > > > > > we
>> > > > > > > > > > > would
>> > > > > > > > > > > > > have
>> > > > > > > > > > > > > > > to
>> > > > > > > > > > > > > > > >> be
>> > > > > > > > > > > > > > > >> > > > aware
>> > > > > > > > > > > > > > > >> > > > > of
>> > > > > > > > > > > > > > > >> > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > internal
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > details of the
>> > library,
>> > > > like
>> > > > > > the
>> > > > > > > > > field
>> > > > > > > > > > > > > values
>> > > > > > > > > > > > > > it
>> > > > > > > > > > > > > > > >> > > creates
>> > > > > > > > > > > > > > > >> > > > > from
>> > > > > > > > > > > > > > > >> > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > certs,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > defaults and so on.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 2. Could you
>> explain
>> > how
>> > > > the
>> > > > > > > > default
>> > > > > > > > > > > > > > authorizer
>> > > > > > > > > > > > > > > >> works
>> > > > > > > > > > > > > > > >> > > > now?
>> > > > > > > > > > > > > > > >> > > > > > > > > Currently,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > code just compares
>> the
>> > > two
>> > > > > > > > principal
>> > > > > > > > > > > > > objects.
>> > > > > > > > > > > > > > > Are
>> > > > > > > > > > > > > > > >> we
>> > > > > > > > > > > > > > > >> > > > > > converting
>> > > > > > > > > > > > > > > >> > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > java
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > principal to a
>> > > > > KafkaPrincipal
>> > > > > > > > there?
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> The
>> > > > SimpleAclAuthorizer
>> > > > > > > > > currently
>> > > > > > > > > > > > > expects
>> > > > > > > > > > > > > > > >> that,
>> > > > > > > > > > > > > > > >> > > the
>> > > > > > > > > > > > > > > >> > > > > > > > Principal
>> > > > > > > > > > > > > > > >> > > > > > > > > it
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > fetches from the
>> > Session
>> > > > > > object
>> > > > > > > is
>> > > > > > > > > an
>> > > > > > > > > > > > > instance
>> > > > > > > > > > > > > > > of
>> > > > > > > > > > > > > > > >> > > > > > > KafkaPrincipal.
>> > > > > > > > > > > > > > > >> > > > > > > > > It
>> > > > > > > > > > > > > > > >> > > > > > > > > > > then
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > uses it compare
>> with
>> > the
>> > > > > > > > > > KafkaPrincipal
>> > > > > > > > > > > > > > > extracted
>> > > > > > > > > > > > > > > >> > from
>> > > > > > > > > > > > > > > >> > > > the
>> > > > > > > > > > > > > > > >> > > > > > > stored
>> > > > > > > > > > > > > > > >> > > > > > > > > > ACLs.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > In
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > this case, we can
>> > > > construct
>> > > > > > the
>> > > > > > > > > > > > > KafkaPrincipal
>> > > > > > > > > > > > > > > >> object
>> > > > > > > > > > > > > > > >> > > on
>> > > > > > > > > > > > > > > >> > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > fly
>> > > > > > > > > > > > > > > >> > > > > > > > by
>> > > > > > > > > > > > > > > >> > > > > > > > > > > using
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the name of the
>> > > Principal
>> > > > as
>> > > > > > > > > follows :
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > *val principal =
>> > > > > > > > session.principal*
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > *val
>> kafkaPrincipal =
>> > > new
>> > > > > > > > > > > > > > > >> > > KafkaPrincipal(KafkaPrincipal.
>> > > > > > > > > > > > > > > >> > > > > > > > USER_TYPE,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > principal.getName)*
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > I was also
>> planning to
>> > > get
>> > > > > rid
>> > > > > > > of
>> > > > > > > > > the
>> > > > > > > > > > > > > > > >> principalType
>> > > > > > > > > > > > > > > >> > > field
>> > > > > > > > > > > > > > > >> > > > > in
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > KafkaPrincipal as
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > it is always set to
>> > > > > *"*User*"*
>> > > > > > > in
>> > > > > > > > > the
>> > > > > > > > > > > > > > > SocketServer
>> > > > > > > > > > > > > > > >> > > > > currently.
>> > > > > > > > > > > > > > > >> > > > > > > > After
>> > > > > > > > > > > > > > > >> > > > > > > > > > > this
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > KIP, it will no
>> longer
>> > > be
>> > > > > used
>> > > > > > > in
>> > > > > > > > > > > > > > SocketServer.
>> > > > > > > > > > > > > > > >> But
>> > > > > > > > > > > > > > > >> > to
>> > > > > > > > > > > > > > > >> > > > > > maintain
>> > > > > > > > > > > > > > > >> > > > > > > > > > > backwards
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > compatibility of
>> > > > > > kafka-acls.sh,
>> > > > > > > I
>> > > > > > > > > > > > preserved
>> > > > > > > > > > > > > > it.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > This is so that in
>> the
>> > > > future,
>> > > > > > we
>> > > > > > > > can
>> > > > > > > > > > > extend
>> > > > > > > > > > > > > to
>> > > > > > > > > > > > > > > >> types
>> > > > > > > > > > > > > > > >> > > like
>> > > > > > > > > > > > > > > >> > > > > > group.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 3. Do we need to
>> add
>> > the
>> > > > > > > following
>> > > > > > > > > > > method
>> > > > > > > > > > > > in
>> > > > > > > > > > > > > > > >> > > > > > PrincipalBuilder?
>> > > > > > > > > > > > > > > >> > > > > > > > The
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > configs
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > are already passed
>> in
>> > > > > through
>> > > > > > > > > > > configure()
>> > > > > > > > > > > > > and
>> > > > > > > > > > > > > > an
>> > > > > > > > > > > > > > > >> > > > > > implementation
>> > > > > > > > > > > > > > > >> > > > > > > > can
>> > > > > > > > > > > > > > > >> > > > > > > > > > > cache
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > it and use it in
>> > > > > > > buildPrincipal().
>> > > > > > > > > > It's
>> > > > > > > > > > > > also
>> > > > > > > > > > > > > > not
>> > > > > > > > > > > > > > > >> > clear
>> > > > > > > > > > > > > > > >> > > to
>> > > > > > > > > > > > > > > >> > > > > me
>> > > > > > > > > > > > > > > >> > > > > > > > where
>> > > > > > > > > > > > > > > >> > > > > > > > > we
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > call
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the new and the old
>> > > > method,
>> > > > > > and
>> > > > > > > > > > whether
>> > > > > > > > > > > > both
>> > > > > > > > > > > > > > > will
>> > > > > > > > > > > > > > > >> be
>> > > > > > > > > > > > > > > >> > > > called
>> > > > > > > > > > > > > > > >> > > > > > or
>> > > > > > > > > > > > > > > >> > > > > > > > one
>> > > > > > > > > > > > > > > >> > > > > > > > > of
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > them
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > will be called.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Principal
>> > > > > > > > buildPrincipal(Map<String,
>> > > > > > > > > > ?>
>> > > > > > > > > > > > > > > >> > > > principalConfigs);
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> My thought was
>> > that
>> > > > the
>> > > > > > > > > > configure()
>> > > > > > > > > > > > > > method
>> > > > > > > > > > > > > > > >> will
>> > > > > > > > > > > > > > > >> > be
>> > > > > > > > > > > > > > > >> > > > > used
>> > > > > > > > > > > > > > > >> > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > build
>> > > > > > > > > > > > > > > >> > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > PrincipalBuilder
>> class
>> > > > > object
>> > > > > > > > > itself.
>> > > > > > > > > > It
>> > > > > > > > > > > > > > follows
>> > > > > > > > > > > > > > > >> the
>> > > > > > > > > > > > > > > >> > > same
>> > > > > > > > > > > > > > > >> > > > > way
>> > > > > > > > > > > > > > > >> > > > > > > as
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > Authorizer
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > gets configured.
>> The
>> > > > > > > > > > > > > > buildPrincipal(Map<String,
>> > > > > > > > > > > > > > > ?>
>> > > > > > > > > > > > > > > >> > > > > > > > > principalConfigs)
>> > > > > > > > > > > > > > > >> > > > > > > > > > > will
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > be used to build
>> > > > individual
>> > > > > > > > > > principals.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Let me give an
>> > example,
>> > > > with
>> > > > > > the
>> > > > > > > > > > > > > > kafka-acls.sh :
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > -
>> bin/kafka-acls.sh
>> > > > > > > > > > > --principalBuilder
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > userDefinedPackage.kafka.
>> > > > > > > > > > > > > > > >> > security.PrincipalBuilder
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > --principalBuilder-properties
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > principalBuilderService.rest.u
>> > > > > > > > > > rl=URL
>> > > > > > > > > > > > > > > >> > --authorizer
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > kafka.security.auth.
>> > > > > > > > > > > > SimpleAclAuthorizer
>> > > > > > > > > > > > > > > >> > > > > > > > --authorizer-properties
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > zookeeper.connect=localhost:
>> > > > > > > > 2181
>> > > > > > > > > > > --add
>> > > > > > > > > > > > > > > >> > > > > --allow-principal
>> > > > > > > > > > > > > > > >> > > > > > > > > name=bob
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> type=USER_PRINCIPAL
>> > > > > > > > > > --allow-principal
>> > > > > > > > > > > > > > > >> > > > > > > name=ALPHA-GAMMA-SERVICE
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > type=SERVICE_PRINCIPAL
>> > > > > > > > > > --allow-hosts
>> > > > > > > > > > > > > > > >> Host1,Host2
>> > > > > > > > > > > > > > > >> > > > > > > --operations
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > Read,Write
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > --topic
>> Test-topic
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 1.
>> > > > > > > > *userDefinedPackage.kafka.
>> > > > > > > > > > > > > > > >> > > > > > security.PrincipalBuilder*
>> > > > > > > > > > > > > > > >> > > > > > > is
>> > > > > > > > > > > > > > > >> > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > user
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > defined
>> > > > > PrincipalBuilder
>> > > > > > > > > class.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 2.
>> > > > > > > > > > *principalBuilderService.rest.
>> > > > > > > > > > > > > > url=URL*
>> > > > > > > > > > > > > > > >> can
>> > > > > > > > > > > > > > > >> > > be a
>> > > > > > > > > > > > > > > >> > > > > > > remote
>> > > > > > > > > > > > > > > >> > > > > > > > > > > service
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > that provides
>> > you
>> > > an
>> > > > > > HTTP
>> > > > > > > > > > endpoint
>> > > > > > > > > > > > > which
>> > > > > > > > > > > > > > > >> takes
>> > > > > > > > > > > > > > > >> > > in a
>> > > > > > > > > > > > > > > >> > > > > set
>> > > > > > > > > > > > > > > >> > > > > > > of
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > parameters and
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > provides you
>> > with
>> > > > the
>> > > > > > > > > Principal.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 3. *name=bob
>> > > > > > > > > > type=USER_PRINCIPAL*
>> > > > > > > > > > > > can
>> > > > > > > > > > > > > be
>> > > > > > > > > > > > > > > >> used
>> > > > > > > > > > > > > > > >> > by
>> > > > > > > > > > > > > > > >> > > > > > > > > > PrincipalBuilder
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > create
>> > > UserPrincipal
>> > > > > > with
>> > > > > > > > name
>> > > > > > > > > > as
>> > > > > > > > > > > > bob
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 4.
>> > > > > > > *name=ALPHA-GAMMA-SERVICE
>> > > > > > > > > > > > > > > >> > > type=SERVICE_PRINCIPAL
>> > > > > > > > > > > > > > > >> > > > > > *can
>> > > > > > > > > > > > > > > >> > > > > > > be
>> > > > > > > > > > > > > > > >> > > > > > > > > > used
>> > > > > > > > > > > > > > > >> > > > > > > > > > > by
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> PrincipalBuilder
>> > > to
>> > > > > > > create a
>> > > > > > > > > > > > > > > >> ServicePrincipal
>> > > > > > > > > > > > > > > >> > > with
>> > > > > > > > > > > > > > > >> > > > > name
>> > > > > > > > > > > > > > > >> > > > > > > as
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > ALPHA-GAMMA-SERVICE.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > - This seems
>> more
>> > > > > flexible
>> > > > > > > and
>> > > > > > > > > > > > intuitive
>> > > > > > > > > > > > > to
>> > > > > > > > > > > > > > > me
>> > > > > > > > > > > > > > > >> > from
>> > > > > > > > > > > > > > > >> > > > end
>> > > > > > > > > > > > > > > >> > > > > > > user's
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > perspective.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > Hmm, normally, the
>> > > > > > configurations
>> > > > > > > > you
>> > > > > > > > > > > > specify
>> > > > > > > > > > > > > > for
>> > > > > > > > > > > > > > > >> > > plug-ins
>> > > > > > > > > > > > > > > >> > > > > > refer
>> > > > > > > > > > > > > > > >> > > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > > those
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > needed to construct
>> the
>> > > > > plug-in
>> > > > > > > > > object.
>> > > > > > > > > > > So,
>> > > > > > > > > > > > > it's
>> > > > > > > > > > > > > > > >> kind
>> > > > > > > > > > > > > > > >> > of
>> > > > > > > > > > > > > > > >> > > > > weird
>> > > > > > > > > > > > > > > >> > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > use
>> > > > > > > > > > > > > > > >> > > > > > > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > to call a method. For
>> > > > example,
>> > > > > > why
>> > > > > > > > > can't
>> > > > > > > > > > > > > > > >> > > > > > > > >
>> principalBuilderService.rest.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > url
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > be passed in through
>> the
>> > > > > > > configure()
>> > > > > > > > > > > method
>> > > > > > > > > > > > > and
>> > > > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > implementation
>> > > > > > > > > > > > > > > >> > > > > > > > > can
>> > > > > > > > > > > > > > > >> > > > > > > > > > > use
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > that to build
>> principal.
>> > > > This
>> > > > > > way,
>> > > > > > > > > there
>> > > > > > > > > > > is
>> > > > > > > > > > > > > > only a
>> > > > > > > > > > > > > > > >> > single
>> > > > > > > > > > > > > > > >> > > > > > method
>> > > > > > > > > > > > > > > >> > > > > > > to
>> > > > > > > > > > > > > > > >> > > > > > > > > > > compute
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > the principal in a
>> > > > consistent
>> > > > > > way
>> > > > > > > in
>> > > > > > > > > the
>> > > > > > > > > > > > > broker
>> > > > > > > > > > > > > > > and
>> > > > > > > > > > > > > > > >> in
>> > > > > > > > > > > > > > > >> > > the
>> > > > > > > > > > > > > > > >> > > > > > > > kafka-acl
>> > > > > > > > > > > > > > > >> > > > > > > > > > > tool.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > For LinkedIn's use
>> case,
>> > > do
>> > > > > you
>> > > > > > > > > actually
>> > > > > > > > > > > use
>> > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > kafka-acl
>> > > > > > > > > > > > > > > >> > > > > > tool?
>> > > > > > > > > > > > > > > >> > > > > > > My
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > understanding is that
>> > > > LinkedIn
>> > > > > > > does
>> > > > > > > > > > > > > > authorization
>> > > > > > > > > > > > > > > >> > through
>> > > > > > > > > > > > > > > >> > > > an
>> > > > > > > > > > > > > > > >> > > > > > > > external
>> > > > > > > > > > > > > > > >> > > > > > > > > > > tool.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > It seems it's
>> simpler if
>> > > > > > kafka-acl
>> > > > > > > > > > doesn't
>> > > > > > > > > > > > to
>> > > > > > > > > > > > > > need
>> > > > > > > > > > > > > > > >> to
>> > > > > > > > > > > > > > > >> > > > > > understand
>> > > > > > > > > > > > > > > >> > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > principal builder.
>> The
>> > > tool
>> > > > > does
>> > > > > > > > > > > > authorization
>> > > > > > > > > > > > > > > based
>> > > > > > > > > > > > > > > >> > on a
>> > > > > > > > > > > > > > > >> > > > > > string
>> > > > > > > > > > > > > > > >> > > > > > > > > name,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > which is expected to
>> > match
>> > > > the
>> > > > > > > > > principal
>> > > > > > > > > > > > name.
>> > > > > > > > > > > > > > So,
>> > > > > > > > > > > > > > > >> I am
>> > > > > > > > > > > > > > > >> > > > > > wondering
>> > > > > > > > > > > > > > > >> > > > > > > > why
>> > > > > > > > > > > > > > > >> > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > tool needs to know
>> the
>> > > > > principal
>> > > > > > > > > > builder.
>> > > > > > > > > > > > What
>> > > > > > > > > > > > > > if
>> > > > > > > > > > > > > > > we
>> > > > > > > > > > > > > > > >> > only
>> > > > > > > > > > > > > > > >> > > > > make
>> > > > > > > > > > > > > > > >> > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > following changes:
>> pass
>> > > the
>> > > > > java
>> > > > > > > > > > principal
>> > > > > > > > > > > > in
>> > > > > > > > > > > > > > > >> session
>> > > > > > > > > > > > > > > >> > and
>> > > > > > > > > > > > > > > >> > > > in
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > SimpleAuthorizer,
>> > > construct
>> > > > > > > > > > KafkaPrincipal
>> > > > > > > > > > > > > from
>> > > > > > > > > > > > > > > java
>> > > > > > > > > > > > > > > >> > > > > principal
>> > > > > > > > > > > > > > > >> > > > > > > > name.
>> > > > > > > > > > > > > > > >> > > > > > > > > > Will
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > that work for
>> LinkedIn?
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Principal
>> > > > > > > > buildPrincipal(Map<String,
>> > > > > > > > > > ?>
>> > > > > > > > > > > > > > > >> > > principalConfigs)
>> > > > > > > > > > > > > > > >> > > > > > will
>> > > > > > > > > > > > > > > >> > > > > > > be
>> > > > > > > > > > > > > > > >> > > > > > > > > > > called
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > from the
>> commandline
>> > > > client
>> > > > > > > > > > > kafka-acls.sh
>> > > > > > > > > > > > > > while
>> > > > > > > > > > > > > > > >> the
>> > > > > > > > > > > > > > > >> > > other
>> > > > > > > > > > > > > > > >> > > > > API
>> > > > > > > > > > > > > > > >> > > > > > > can
>> > > > > > > > > > > > > > > >> > > > > > > > > be
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > called
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > at runtime when
>> Kafka
>> > > > > > receives a
>> > > > > > > > > > client
>> > > > > > > > > > > > > > request
>> > > > > > > > > > > > > > > >> over
>> > > > > > > > > > > > > > > >> > > > > request
>> > > > > > > > > > > > > > > >> > > > > > > > > channel.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 4. The KIP has "If
>> > users
>> > > > use
>> > > > > > > there
>> > > > > > > > > > > custom
>> > > > > > > > > > > > > > > >> > > > PrincipalBuilder,
>> > > > > > > > > > > > > > > >> > > > > > > they
>> > > > > > > > > > > > > > > >> > > > > > > > > will
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > have
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > to implement there
>> > > custom
>> > > > > > > > Authorizer
>> > > > > > > > > > as
>> > > > > > > > > > > > the
>> > > > > > > > > > > > > > out
>> > > > > > > > > > > > > > > of
>> > > > > > > > > > > > > > > >> > box
>> > > > > > > > > > > > > > > >> > > > > > > Authorizer
>> > > > > > > > > > > > > > > >> > > > > > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Kafka provides uses
>> > > > > > > > KafkaPrincipal."
>> > > > > > > > > > > This
>> > > > > > > > > > > > is
>> > > > > > > > > > > > > > not
>> > > > > > > > > > > > > > > >> > ideal
>> > > > > > > > > > > > > > > >> > > > for
>> > > > > > > > > > > > > > > >> > > > > > > > existing
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > users.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Could we avoid
>> that?
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> Yes, this is
>> > > possible
>> > > > > to
>> > > > > > > > avoid
>> > > > > > > > > if
>> > > > > > > > > > > we
>> > > > > > > > > > > > do
>> > > > > > > > > > > > > > > >> point 2.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > On Wed, Feb 8,
>> 2017 at
>> > > > 3:31
>> > > > > > PM,
>> > > > > > > > Jun
>> > > > > > > > > > Rao
>> > > > > > > > > > > <
>> > > > > > > > > > > > > > > >> > > > j...@confluent.io>
>> > > > > > > > > > > > > > > >> > > > > > > > wrote:
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Hi, Mayuresh,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks for the
>> KIP.
>> > A
>> > > > few
>> > > > > > > > comments
>> > > > > > > > > > > > below.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 1. It seems the
>> > > problem
>> > > > > that
>> > > > > > > you
>> > > > > > > > > are
>> > > > > > > > > > > > > trying
>> > > > > > > > > > > > > > to
>> > > > > > > > > > > > > > > >> > > address
>> > > > > > > > > > > > > > > >> > > > is
>> > > > > > > > > > > > > > > >> > > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > > > java
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > principal
>> returned
>> > > from
>> > > > > > > > > KafkaChannel
>> > > > > > > > > > > may
>> > > > > > > > > > > > > > have
>> > > > > > > > > > > > > > > >> > > > additional
>> > > > > > > > > > > > > > > >> > > > > > > fields
>> > > > > > > > > > > > > > > >> > > > > > > > > > than
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > name
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > that are needed
>> > during
>> > > > > > > > > > authorization.
>> > > > > > > > > > > > Have
>> > > > > > > > > > > > > > you
>> > > > > > > > > > > > > > > >> > > > > considered a
>> > > > > > > > > > > > > > > >> > > > > > > > > > > customized
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > PrincipleBuilder
>> > that
>> > > > > > extracts
>> > > > > > > > all
>> > > > > > > > > > > > needed
>> > > > > > > > > > > > > > > fields
>> > > > > > > > > > > > > > > >> > from
>> > > > > > > > > > > > > > > >> > > > > java
>> > > > > > > > > > > > > > > >> > > > > > > > > > principal
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > and
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > squeezes them as
>> a
>> > > json
>> > > > in
>> > > > > > the
>> > > > > > > > > name
>> > > > > > > > > > of
>> > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> returned
>> > > > > > > > > > > > > > > >> > > > > > > principal?
>> > > > > > > > > > > > > > > >> > > > > > > > > > Then,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > authorizer can
>> just
>> > > > parse
>> > > > > > the
>> > > > > > > > json
>> > > > > > > > > > and
>> > > > > > > > > > > > > > extract
>> > > > > > > > > > > > > > > >> > needed
>> > > > > > > > > > > > > > > >> > > > > > fields.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 2. Could you
>> explain
>> > > how
>> > > > > the
>> > > > > > > > > default
>> > > > > > > > > > > > > > > authorizer
>> > > > > > > > > > > > > > > >> > works
>> > > > > > > > > > > > > > > >> > > > > now?
>> > > > > > > > > > > > > > > >> > > > > > > > > > Currently,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > code just
>> compares
>> > the
>> > > > two
>> > > > > > > > > principal
>> > > > > > > > > > > > > > objects.
>> > > > > > > > > > > > > > > >> Are
>> > > > > > > > > > > > > > > >> > we
>> > > > > > > > > > > > > > > >> > > > > > > converting
>> > > > > > > > > > > > > > > >> > > > > > > > > the
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > java
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > principal to a
>> > > > > > KafkaPrincipal
>> > > > > > > > > there?
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 3. Do we need to
>> add
>> > > the
>> > > > > > > > following
>> > > > > > > > > > > > method
>> > > > > > > > > > > > > in
>> > > > > > > > > > > > > > > >> > > > > > > PrincipalBuilder?
>> > > > > > > > > > > > > > > >> > > > > > > > > The
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > configs
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > are already
>> passed
>> > in
>> > > > > > through
>> > > > > > > > > > > > configure()
>> > > > > > > > > > > > > > and
>> > > > > > > > > > > > > > > an
>> > > > > > > > > > > > > > > >> > > > > > > implementation
>> > > > > > > > > > > > > > > >> > > > > > > > > can
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > cache
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > it and use it in
>> > > > > > > > buildPrincipal().
>> > > > > > > > > > > It's
>> > > > > > > > > > > > > also
>> > > > > > > > > > > > > > > not
>> > > > > > > > > > > > > > > >> > > clear
>> > > > > > > > > > > > > > > >> > > > to
>> > > > > > > > > > > > > > > >> > > > > > me
>> > > > > > > > > > > > > > > >> > > > > > > > > where
>> > > > > > > > > > > > > > > >> > > > > > > > > > we
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > call
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > the new and the
>> old
>> > > > > method,
>> > > > > > > and
>> > > > > > > > > > > whether
>> > > > > > > > > > > > > both
>> > > > > > > > > > > > > > > >> will
>> > > > > > > > > > > > > > > >> > be
>> > > > > > > > > > > > > > > >> > > > > called
>> > > > > > > > > > > > > > > >> > > > > > > or
>> > > > > > > > > > > > > > > >> > > > > > > > > one
>> > > > > > > > > > > > > > > >> > > > > > > > > > of
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > them
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > will be called.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Principal
>> > > > > > > > > buildPrincipal(Map<String,
>> > > > > > > > > > > ?>
>> > > > > > > > > > > > > > > >> > > > > principalConfigs);
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 4. The KIP has
>> "If
>> > > users
>> > > > > use
>> > > > > > > > there
>> > > > > > > > > > > > custom
>> > > > > > > > > > > > > > > >> > > > > PrincipalBuilder,
>> > > > > > > > > > > > > > > >> > > > > > > > they
>> > > > > > > > > > > > > > > >> > > > > > > > > > will
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > have
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > to implement
>> there
>> > > > custom
>> > > > > > > > > Authorizer
>> > > > > > > > > > > as
>> > > > > > > > > > > > > the
>> > > > > > > > > > > > > > > out
>> > > > > > > > > > > > > > > >> of
>> > > > > > > > > > > > > > > >> > > box
>> > > > > > > > > > > > > > > >> > > > > > > > Authorizer
>> > > > > > > > > > > > > > > >> > > > > > > > > > > that
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Kafka provides
>> uses
>> > > > > > > > > KafkaPrincipal."
>> > > > > > > > > > > > This
>> > > > > > > > > > > > > is
>> > > > > > > > > > > > > > > not
>> > > > > > > > > > > > > > > >> > > ideal
>> > > > > > > > > > > > > > > >> > > > > for
>> > > > > > > > > > > > > > > >> > > > > > > > > existing
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > users.
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Could we avoid
>> that?
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Jun
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > On Fri, Feb 3,
>> 2017
>> > at
>> > > > > 11:25
>> > > > > > > AM,
>> > > > > > > > > > > > Mayuresh
>> > > > > > > > > > > > > > > >> Gharat <
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > gharatmayures...@gmail.com
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > wrote:
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Hi All,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > It seems that
>> > there
>> > > is
>> > > > > no
>> > > > > > > > > further
>> > > > > > > > > > > > > concern
>> > > > > > > > > > > > > > > with
>> > > > > > > > > > > > > > > >> > the
>> > > > > > > > > > > > > > > >> > > > > > KIP-111.
>> > > > > > > > > > > > > > > >> > > > > > > > At
>> > > > > > > > > > > > > > > >> > > > > > > > > > this
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > point
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > we would like
>> to
>> > > start
>> > > > > the
>> > > > > > > > > voting
>> > > > > > > > > > > > > process.
>> > > > > > > > > > > > > > > The
>> > > > > > > > > > > > > > > >> > KIP
>> > > > > > > > > > > > > > > >> > > > can
>> > > > > > > > > > > > > > > >> > > > > be
>> > > > > > > > > > > > > > > >> > > > > > > > found
>> > > > > > > > > > > > > > > >> > > > > > > > > > at
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
>> > > > > https://cwiki.apache.org/
>> > > > > > > > > > > > > > > >> > confluence/pages/viewpage
>> > > > > > > > > > > > > > > >> > > .
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > action?pageId=67638388
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Mayuresh
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > --
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > -Regards,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh R. Gharat
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > > (862) 250-7125
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > > Jun
>> > > > > > > > > > > > > > > >> > > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > > > --
>> > > > > > > > > > > > > > > >> > > > > > > > > > > -Regards,
>> > > > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh R. Gharat
>> > > > > > > > > > > > > > > >> > > > > > > > > > > (862) 250-7125
>> > > > > > > > > > > > > > > >> > > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > > >
>> > > > > > > > > > > > > > > >> > > > > > >
>> > > > > > > > > > > > > > > >> > > > > >
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > > > --
>> > > > > > > > > > > > > > > >> > > > > -Regards,
>> > > > > > > > > > > > > > > >> > > > > Mayuresh R. Gharat
>> > > > > > > > > > > > > > > >> > > > > (862) 250-7125
>> > > > > > > > > > > > > > > >> > > > >
>> > > > > > > > > > > > > > > >> > > >
>> > > > > > > > > > > > > > > >> > >
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >> > --
>> > > > > > > > > > > > > > > >> > -Regards,
>> > > > > > > > > > > > > > > >> > Mayuresh R. Gharat
>> > > > > > > > > > > > > > > >> > (862) 250-7125
>> > > > > > > > > > > > > > > >> >
>> > > > > > > > > > > > > > > >>
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > > --
>> > > > > > > > > > > > > > > > -Regards,
>> > > > > > > > > > > > > > > > Mayuresh R. Gharat
>> > > > > > > > > > > > > > > > (862) 250-7125
>> > > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > > > --
>> > > > > > > > > > > > > > > -Regards,
>> > > > > > > > > > > > > > > Mayuresh R. Gharat
>> > > > > > > > > > > > > > > (862) 250-7125
>> > > > > > > > > > > > > > >
>> > > > > > > > > > > > > >
>> > > > > > > > > > > > >
>> > > > > > > > > > > > >
>> > > > > > > > > > > > >
>> > > > > > > > > > > > > --
>> > > > > > > > > > > > > -Regards,
>> > > > > > > > > > > > > Mayuresh R. Gharat
>> > > > > > > > > > > > > (862) 250-7125
>> > > > > > > > > > > > >
>> > > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > > >
>> > > > > > > > > > > --
>> > > > > > > > > > > -Regards,
>> > > > > > > > > > > Mayuresh R. Gharat
>> > > > > > > > > > > (862) 250-7125
>> > > > > > > > > > >
>> > > > > > > > > >
>> > > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > >
>> > > > > > > > --
>> > > > > > > > -Regards,
>> > > > > > > > Mayuresh R. Gharat
>> > > > > > > > (862) 250-7125
>> > > > > > > >
>> > > > > > >
>> > > > > >
>> > > > > >
>> > > > > >
>> > > > > > --
>> > > > > > -Regards,
>> > > > > > Mayuresh R. Gharat
>> > > > > > (862) 250-7125
>> > > > > >
>> > > > >
>> > > >
>> > >
>> > >
>> > >
>> > > --
>> > > -Regards,
>> > > Mayuresh R. Gharat
>> > > (862) 250-7125
>> > >
>> >
>>
>
>
>
> --
> -Regards,
> Mayuresh R. Gharat
> (862) 250-7125
>
--
-Regards,
Mayuresh R. Gharat
(862) 250-7125
