[jira] [Commented] (KAFKA-4985) kafka-acls should resolve dns names and accept ip ranges

Wed, 24 Jan 2018 14:55:56 -0800 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16338376#comment-16338376
 ] 

Colin P. McCabe commented on KAFKA-4985:
----------------------------------------

bq. That argument could be applied to practically any use of DNS, so I'm not 
convinced it makes a good reason not to do this.

DNS is simply not secure.  So it shouldn't be used to provide security.

For example, I could spin up a DNS server on your local network, grant myself 
some hostname, and then do whatever I want on your broker, if hostname-based 
security is in use.

Or perhaps I take control of some public DNS server, and use it to publish fake 
DNS entries.  Your site relies on many third party DNS resolvers that aren't 
controlled by your organization, any time you want to access something not in 
your local network.

DNS-based security would just be a square wheel, even if it worked reliably 
(which it wouldn't, any time a DNS record changed)...

> kafka-acls should resolve dns names and accept ip ranges
> --------------------------------------------------------
>
>                 Key: KAFKA-4985
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4985
>             Project: Kafka
>          Issue Type: Improvement
>          Components: security
>            Reporter: Ryan P
>            Priority: Major
>
> Per KAFKA-2869 it looks like a conscious decision was made to move away from 
> using hostnames for authorization purposes. 
> This is fine however IP addresses are terrible inconvenient compared to 
> hostname with regard to configuring ACLs. 
> I'd like to propose the following two improvements to make managing these 
> ACLs easier for end-users. 
> 1. Allow for simple patterns to be matched 
> i.e --allow-host 10.17.81.11[1-9] 
> 2. Allow for hostnames to be used even if they are resolved on the client 
> side. Simple pattern matching on hostnames would be a welcome addition as well
> i.e. --allow-host host.name.com
> Accepting a comma delimited list of hostnames and ip addresses would also be 
> helpful.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to