[
https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ismael Juma updated KAFKA-3186:
-------------------------------
Fix Version/s: (was: 1.0.0)
> KIP-50: Move Authorizer and related classes to separate package.
> ----------------------------------------------------------------
>
> Key: KAFKA-3186
> URL: https://issues.apache.org/jira/browse/KAFKA-3186
> Project: Kafka
> Issue Type: Improvement
> Affects Versions: 0.9.0.0
> Reporter: Ashish Singh
> Assignee: Ashish Singh
>
> [KIP-50|https://cwiki.apache.org/confluence/display/KAFKA/KIP-50+-+Move+Authorizer+to+a+separate+package]
> has more details.
> Kafka supports pluggable authorization. Third party authorizer
> implementations allow existing authorization systems like, Apache Sentry,
> Apache Ranger, etc to extend authorization to Kafka as well. Implementing
> Kafka's authorizer interface requires depending on kafka's core, which is
> huge. This has been already raised as a concern by Sentry, Ranger and Kafka
> community. Even Kafka clients require duplication of authorization related
> classes, like Resource, Operation, etc, for adding ACLs CRUD APIs.
> Kafka authorizer is agnostic of principal types it supports, so are the acls
> CRUD methods in Authorizer interface. The intent behind is to keep Kafka
> principal types pluggable, which is really great. However, this leads to Acls
> CRUD methods not performing any check on validity of acls, as they are not
> aware of what principal types Authorizer implementation supports. This opens
> up space for lots of user errors, KAFKA-3097 is an instance.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
