potiuk commented on PR #22431: URL: https://github.com/apache/kafka/pull/22431#issuecomment-4618441586
Thanks @clolov — pushed a revision addressing the review: - **Removed all ZooKeeper references** (gone from trunk; legacy 3.9.x out of scope). - Framed **PLAINTEXT listener + no authorizer as development-only**; authorizer default = **DENY** (StandardAuthorizer); idempotent producers / transactions / delegation tokens are ACL-gated (a token can't mint another). - SASL guidance (SCRAM/GSSAPI/OAUTHBEARER recommended; nothing enforces TLS for PLAIN; OAUTHBEARER client_credentials + client_assertion). - **DoS defaults** documented (`socket.request.max.bytes`=100MiB, `queued.max.requests`=500, `connection.failed.authentication.delay.ms`=100ms; `queued.max.request.bytes`/`max.connections*`/quotas unset by default). - Kafka Streams treated as a client library; `committer-tools` + `bin` out of scope; defined "addendum C". Left as open §14 questions where you pinged others: in-cluster-peer threat examples (@mimaison / @showuon), the Streams-as-client-library final call (@mjsax), Connect/REST depth (@mimaison), and whether the out-of-scope list should be exhaustive vs examples. WDYT? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
