RE: [VOTE] KIP-412: Extend Admin API to support dynamic application log levels

[Skrzypek, Jonathan]

+1 (non-binding)

Jonathan Skrzypek


-Original Message-
From: Gwen Shapira 
Sent: 19 February 2019 04:57
To: dev 
Subject: Re: [VOTE] KIP-412: Extend Admin API to support dynamic application 
log levels

+1

On Mon, Feb 18, 2019, 3:48 AM Stanislav Kozlovski 
wrote:

> Hey everybody, I'm starting a VOTE thread for KIP-412. This feature
> should significantly improve the flexibility and ease in debugging
> Kafka in run time
>
> KIP-412 -
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_
> confluence_display_KAFKA_KIP-2D412-253A-2BExtend-2BAdmin-2BAPI-2Bto-2B
> support-2Bdynamic-2Bapplication-2Blog-2Blevels=DwIBaQ=7563p3e2zaQw
> 0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0N
> M1EHo-E=Qdn7UygnjV2OiTYHBwn2BZAKjDblTffLUA9cAnL3t1w=QQbNGzQrEtVg1t
> 2aBUtjFEdW5jL4xOBsbt-RS6tIQAQ=
>
>
> --
> Best,
> Stanislav
>



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices

RE: [EXTERNAL] [VOTE] KIP-382 MirrorMaker 2.0

[Skrzypek, Jonathan]

+1 (non-binding)

Jonathan Skrzypek

-Original Message-
From: Mickael Maison 
Sent: 02 January 2019 11:10
To: dev 
Subject: Re: [EXTERNAL] [VOTE] KIP-382 MirrorMaker 2.0

+1 (non-binding)
Thanks Ryanne

On Wed, Jan 2, 2019 at 4:47 AM McCaig, Rhys  wrote:
>
> +1 (non-binding). Fantastic work on the KIP Ryanne.
>
> > On Dec 25, 2018, at 9:10 AM, Stephane Maarek  
> > wrote:
> >
> > +1 ! Great stuff
> >
> > Stephane
> >
> > On Mon., 24 Dec. 2018, 12:07 pm Edoardo Comar  >
> >> +1 non-binding
> >>
> >> thanks for the KIP
> >> --
> >>
> >> Edoardo Comar
> >>
> >> IBM Event Streams
> >>
> >>
> >> Harsha  wrote on 21/12/2018 20:17:03:
> >>
> >>> From: Harsha 
> >>> To: dev@kafka.apache.org
> >>> Date: 21/12/2018 20:17
> >>> Subject: Re: [VOTE] KIP-382 MirrorMaker 2.0
> >>>
> >>> +1 (binding).  Nice work Ryan.
> >>> -Harsha
> >>>
> >>> On Fri, Dec 21, 2018, at 8:14 AM, Andrew Schofield wrote:
>  +1 (non-binding)
> 
>  Andrew Schofield
>  IBM Event Streams
> 
>  On 21/12/2018, 01:23, "Srinivas Reddy"
>  
> >> wrote:
> 
> +1 (non binding)
> 
> Thank you Ryan for the KIP, let me know if you need support in
> >>> implementing
> it.
> 
> -
> Srinivas
> 
> - Typed on tiny keys. pls ignore typos.{mobile app}
> 
> 
> On Fri, 21 Dec, 2018, 08:26 Ryanne Dolan
>   >> wrote:
> 
> > Thanks for the votes so far!
> >
> > Due to recent discussions, I've removed the high-level REST
> >>> API from the
> > KIP.
> >
> > On Thu, Dec 20, 2018 at 12:42 PM Paul Davidson
> >>> 
> > wrote:
> >
> >> +1
> >>
> >> Would be great to see the community build on the basic
> >>> approach we took
> >> with Mirus. Thanks Ryanne.
> >>
> >> On Thu, Dec 20, 2018 at 9:01 AM Andrew Psaltis
> >>>  >>
> >> wrote:
> >>
> >>> +1
> >>>
> >>> Really looking forward to this and to helping in any way
> >>> I can. Thanks
> >> for
> >>> kicking this off Ryanne.
> >>>
> >>> On Thu, Dec 20, 2018 at 10:18 PM Andrew Otto
> >> 
> > wrote:
> >>>
>  +1
> 
>  This looks like a huge project! Wikimedia would be
> >>> very excited to
> > have
>  this. Thanks!
> 
>  On Thu, Dec 20, 2018 at 9:52 AM Ryanne Dolan
> >>> 
>  wrote:
> 
> > Hey y'all, please vote to adopt KIP-382 by replying +1
> >> to this
> >> thread.
> >
> > For your reference, here are the highlights of the
> >> proposal:
> >
> > - Leverages the Kafka Connect framework and ecosystem.
> > - Includes both source and sink connectors.
> > - Includes a high-level driver that manages connectors
> >> in a
> > dedicated
> > cluster.
> > - High-level REST API abstracts over connectors
> >>> between multiple
> >> Kafka
> > clusters.
> > - Detects new topics, partitions.
> > - Automatically syncs topic configuration between
> >> clusters.
> > - Manages downstream topic ACL.
> > - Supports "active/active" cluster pairs, as well as
> >>> any number of
> >>> active
> > clusters.
> > - Supports cross-data center replication,
> >>> aggregation, and other
> >>> complex
> > topologies.
> > - Provides new metrics including end-to-end
> >>> replication latency
> >> across
> > multiple data centers/clusters.
> > - Emits offsets required to migrate consumers
> >>> between clusters.
> > - Tooling for offset translation.
> > - MirrorMaker-compatible legacy mode.
> >
> > Thanks, and happy holidays!
> > Ryanne
> >
> 
> >>>
> >>
> >>
> >> --
> >> Paul Davidson
> >> Principal Engineer, Ajna Team
> >> Big Data & Monitoring
> >>
> >
> 
> 
> >>>
> >>
> >> Unless stated otherwise above:
> >> IBM United Kingdom Limited - Registered in England and Wales with
> >> number 741598.
> >> Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire
> >> PO6 3AU
> >>
>



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices

RE: [VOTE] KIP-302 - Enable Kafka clients to use all DNS resolved IP addresses

[Skrzypek, Jonathan]

Ok thanks.

+1 (non-binding)

The only thing I'm not too sure about is the naming around configuration 
entries for this, both for KIP-235 and KIP-302.

KIP-235 expands DNS A records for bootstrap : 
resolve.canonical.bootstrap.servers.only
KIP-302 expands DNS A records for advertised.listeners : use.all.dns.ips

I'm a bit concerned that those don't easily explain what this does.
Documentation helps obviously, but would we have suggestions for better naming ?
I'm fine if we go for those but worth thinking about I think.

Also, we probably want a third option to have both ? That's why we initially 
put in ".only" for KIP-235's parameter.

Jonathan Skrzypek


-Original Message-
From: Edoardo Comar [mailto:eco...@uk.ibm.com]
Sent: 20 September 2018 09:55
To: dev@kafka.apache.org
Subject: RE: [VOTE] KIP-302 - Enable Kafka clients to use all DNS resolved IP 
addresses

Hi Jonathan
we'll update the PR for KIP-302 soon. We do not need KIP-235 actually,
they only share the name of the configuration entry.

thanks
Edo

PS - we need votes :-)

--

Edoardo Comar

IBM Message Hub

IBM UK Ltd, Hursley Park, SO21 2JN



From:   "Skrzypek, Jonathan" 
To: "dev@kafka.apache.org" 
Date:   19/09/2018 16:12
Subject:***UNCHECKED*** RE: [VOTE] KIP-302 - Enable Kafka clients
to use all  DNS resolved IP addresses



I'm assuming this needs KIP-235 to be merged.
Unfortunately I've tripped over some merge issues with git and struggled
to fix.
Hopefully this is fixed but any help appreciated :
https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_kafka_pull_4485=DwIFAg=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=HwQEPivzE-kKvVc99xS-xIe66IRdoD_x8cGEGCVqLFs=7yGX8SM2OhgJi2q8K8BXIrnu1YjEGSORIr5Bs2Up8Zg=


Jonathan Skrzypek



-Original Message-
From: Eno Thereska [mailto:eno.there...@gmail.com]
Sent: 19 September 2018 11:01
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-302 - Enable Kafka clients to use all DNS resolved
IP addresses

+1 (non-binding).

Thanks
Eno

On Wed, Sep 19, 2018 at 10:09 AM, Rajini Sivaram 
wrote:

> Hi Edo,
>
> Thanks for the KIP!
>
> +1 (binding)
>
> On Tue, Sep 18, 2018 at 3:51 PM, Edoardo Comar 
wrote:
>
> > Hi All,
> >
> > I'd like to start the vote on KIP-302:
> >
> >
https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D=DwIFAg=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=HwQEPivzE-kKvVc99xS-xIe66IRdoD_x8cGEGCVqLFs=9z7km3slLJqJLvkw991bM2ht1lygWxDOIY2238JsNLQ=

> > 302+-+Enable+Kafka+clients+to+use+all+DNS+resolved+IP+addresses
> >
> > We'd love to get this in 2.1.0
> > Kip freeze is just a few days away ... please cast your votes  :-):-)
> >
> > Thanks!!
> > Edo
> >
> > --
> >
> > Edoardo Comar
> >
> > IBM Message Hub
> >
> > IBM UK Ltd, Hursley Park, SO21 2JN
> > Unless stated otherwise above:
> > IBM United Kingdom Limited - Registered in England and Wales with
number
> > 741598.
> > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
> 3AU
> >
>



Your Personal Data: We may collect and process information about you that
may be subject to data protection laws. For more information about how we
use and disclose your personal data, how we protect your information, our
legal basis to use your information, your rights and who you can contact,
please refer to: http://www.gs.com/privacy-notices<
http://www.gs.com/privacy-notices
>




Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number
741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>

***UNCHECKED*** RE: [VOTE] KIP-302 - Enable Kafka clients to use all DNS resolved IP addresses

[Skrzypek, Jonathan]

I'm assuming this needs KIP-235 to be merged.
Unfortunately I've tripped over some merge issues with git and struggled to fix.
Hopefully this is fixed but any help appreciated : 
https://github.com/apache/kafka/pull/4485

Jonathan Skrzypek



-Original Message-
From: Eno Thereska [mailto:eno.there...@gmail.com]
Sent: 19 September 2018 11:01
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-302 - Enable Kafka clients to use all DNS resolved IP 
addresses

+1 (non-binding).

Thanks
Eno

On Wed, Sep 19, 2018 at 10:09 AM, Rajini Sivaram 
wrote:

> Hi Edo,
>
> Thanks for the KIP!
>
> +1 (binding)
>
> On Tue, Sep 18, 2018 at 3:51 PM, Edoardo Comar  wrote:
>
> > Hi All,
> >
> > I'd like to start the vote on KIP-302:
> >
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=BT04yLI3iq0Sgaxa_AZcswG9jeO7NeiIcI5fe4Nm-ts=gZ6szA9kizQmSH7SlRG0xAUMVcmwzQLK8L1FqtlBd4k=
> > 302+-+Enable+Kafka+clients+to+use+all+DNS+resolved+IP+addresses
> >
> > We'd love to get this in 2.1.0
> > Kip freeze is just a few days away ... please cast your votes  :-):-)
> >
> > Thanks!!
> > Edo
> >
> > --
> >
> > Edoardo Comar
> >
> > IBM Message Hub
> >
> > IBM UK Ltd, Hursley Park, SO21 2JN
> > Unless stated otherwise above:
> > IBM United Kingdom Limited - Registered in England and Wales with number
> > 741598.
> > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6
> 3AU
> >
>



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Hi,

Could someone take a look at https://github.com/apache/kafka/pull/4485 and 
merge if ok ?

Jonathan Skrzypek


-Original Message-
From: Skrzypek, Jonathan [Tech]
Sent: 27 June 2018 17:52
To: dev
Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection

Hi,

I've modified the PR last week following comments on unit tests, could it be 
reviewed ?

https://github.com/apache/kafka/pull/4485

Jonathan Skrzypek


-Original Message-
From: Ismael Juma [mailto:ism...@juma.me.uk]
Sent: 23 May 2018 01:29
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Thanks for the KIP. I think this is a good and low risk change. It would be
good to ensure that it works well with KIP-302 if we think that makes sense
too. In any case, +1 (binding).

Ismael

On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Hi,
>
> I would like to start a vote for KIP-235
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=uPuVydDxaxC8XfuCt8ZC6C93Gx50DlpAJaTqvC80Z_0=KJTm2ESwlBAOOKVyS_Cbt_9WdGyazwlxdWFCvkEvtd4=
>
> This is a proposition to add an option for reverse dns lookup of
> bootstrap.servers hosts, allowing the use of dns aliases on clusters using
> SASL authentication.
>
>
>
>



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>

RE: [kafka-clients] [VOTE] 1.1.1 RC2

[Skrzypek, Jonathan]

Hi,

Will this RC go ahead or should a RC3 be put together ?


-Original Message-
From: Matthias J. Sax [mailto:matth...@confluent.io]
Sent: 30 June 2018 06:13
To: Rajini Sivaram; Users
Cc: Dong Lin; dev; kafka-clients
Subject: Re: [kafka-clients] [VOTE] 1.1.1 RC2

Hi Dong,

it seems that the kafka-streams-quickstart artifacts are missing. Is it just me 
or is the RC incomplete?


-Matthias


On 6/29/18 4:07 PM, Rajini Sivaram wrote:
> Hi Dong,
>
> +1 (binding)
>
> Verified binary using quick start, ran tests from source, checked
> release notes.
>
> Thanks for running the release!
>
> Regards,
>
> Rajini
>
> On Fri, Jun 29, 2018 at 11:11 PM, Jun Rao  > wrote:
>
> Hi, Dong,
>
> Thanks for running the release. Verified quickstart on scala 2.12
> binary. +1
>
> Jun
>
> On Thu, Jun 28, 2018 at 6:12 PM, Dong Lin  > wrote:
>
> > Hello Kafka users, developers and client-developers,
> >
> > This is the second candidate for release of Apache Kafka 1.1.1.
> >
> > Apache Kafka 1.1.1 is a bug-fix release for the 1.1 branch that
> was first
> > released with 1.1.0 about 3 months ago. We have fixed about 25
> issues since
> > that release. A few of the more significant fixes include:
> >
> > KAFKA-6925  > - Fix
> > memory leak in StreamsMetricsThreadImpl
> > KAFKA-6937  > - In-sync
> > replica delayed during fetch if replica throttle is exceeded
> > KAFKA-6917  > - Process
> > txn completion asynchronously to avoid deadlock
> > KAFKA-6893  > - Create
> > processors before starting acceptor to avoid ArithmeticException
> > KAFKA-6870  > -
> > Fix ConcurrentModificationException in SampledStat
> > KAFKA-6878  > - Fix
> > NullPointerException when querying global state store
> > KAFKA-6879  > - Invoke
> > session init callbacks outside lock to avoid Controller deadlock
> > KAFKA-6857  > - Prevent
> > follower from truncating to the wrong offset if undefined leader
> epoch is
> > requested
> > KAFKA-6854  > - Log
> > cleaner fails with transaction markers that are deleted during clean
> > KAFKA-6747  > - Check
> > whether there is in-flight transaction before aborting transaction
> > KAFKA-6748  > - Double
> > check before scheduling a new task after the punctuate call
> > KAFKA-6739  > -
> > Fix IllegalArgumentException when down-converting from V2 to V0/V1
> > KAFKA-6728  > -
> > Fix NullPointerException when instantiating the HeaderConverter
> >
> > Kafka 1.1.1 release plan:
> >
> https://cwiki.apache.org/confluence/display/KAFKA/Release+Plan+1.1.1
> 
> >
> > Release notes for the 1.1.1 release:
> > http://home.apache.org/~lindong/kafka-1.1.1-rc2/RELEASE_NOTES.html
> 
> >
> > *** Please download, test and vote by Thursday, July 3, 12pm PT ***
> >
> > Kafka's KEYS file containing PGP keys we use to sign the release:
> > http://kafka.apache.org/KEYS
> >
> > * Release artifacts to be voted upon (source and binary):
> > http://home.apache.org/~lindong/kafka-1.1.1-rc2/
> 
> >
> > * Maven artifacts to be voted upon:
> > https://repository.apache.org/content/groups/staging/
> 
> >
> > * Javadoc:
> > 

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Hi,

I've modified the PR last week following comments on unit tests, could it be 
reviewed ?

https://github.com/apache/kafka/pull/4485

Jonathan Skrzypek


-Original Message-
From: Ismael Juma [mailto:ism...@juma.me.uk]
Sent: 23 May 2018 01:29
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Thanks for the KIP. I think this is a good and low risk change. It would be
good to ensure that it works well with KIP-302 if we think that makes sense
too. In any case, +1 (binding).

Ismael

On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Hi,
>
> I would like to start a vote for KIP-235
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=uPuVydDxaxC8XfuCt8ZC6C93Gx50DlpAJaTqvC80Z_0=KJTm2ESwlBAOOKVyS_Cbt_9WdGyazwlxdWFCvkEvtd4=
>
> This is a proposition to add an option for reverse dns lookup of
> bootstrap.servers hosts, allowing the use of dns aliases on clusters using
> SASL authentication.
>
>
>
>



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Hi,

I have updated the PR to leverage an enum to drive client dns lookup behaviour.

There are only 2 options for now, but this could be extended to support other 
behaviours (see attached from KIP-302 thread).
2 current options :

resolve.canonical.bootstrap.servers.only : perform canonical name resolution on 
items of bootstrap.servers
disabled : current default behaviour, no lookup - this is the default value

As usual naming things is hard so happy to take suggestions.

https://github.com/apache/kafka/pull/4485


Jonathan Skrzypek

-Original Message-
From: Ismael Juma [mailto:ism...@juma.me.uk]
Sent: 23 May 2018 01:29
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Thanks for the KIP. I think this is a good and low risk change. It would be
good to ensure that it works well with KIP-302 if we think that makes sense
too. In any case, +1 (binding).

Ismael

On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Hi,
>
> I would like to start a vote for KIP-235
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=uPuVydDxaxC8XfuCt8ZC6C93Gx50DlpAJaTqvC80Z_0=KJTm2ESwlBAOOKVyS_Cbt_9WdGyazwlxdWFCvkEvtd4=
>
> This is a proposition to add an option for reverse dns lookup of
> bootstrap.servers hosts, allowing the use of dns aliases on clusters using
> SASL authentication.
>
>
>
>



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>
--- Begin Message ---
Hi,

As Rajini suggested in the thread for KIP 235 (attached), we could try to have 
an enum that would drive what does the client expands/resolves.

I suggest a client config called client.dns.lookup with different values 
possible :

- no : no dns lookup
- hostnames.only : perform dns lookup on both bootstrap.servers and advertised 
listeners
- canonical.hostnames.only : perform dns lookup on both bootstrap.servers and 
advertised listeners
- bootstrap.hostnames.only : perform dns lookup on bootstrap.servers list and 
expand it
- bootstrap.canonical.hostnames.only : perform dns lookup on bootstrap.servers 
list and expand it
- advertised.listeners.hostnames.only : perform dns lookup on advertised 
listeners
- advertised.listeners.canonical.hostnames.only : perform dns lookup on 
advertised listeners

I realize this is a bit heavy but this gives users the ability to pick and 
choose.
I didn't include a setting to mix hostnames and canonical hostnames as I'm not 
sure there would be a valid use case.

Alternatively, to have less possible values, we could have 2 parameters :

- dns.lookup.type with values : hostname / canonical.host.name
- dns.lookup.behaviour : bootstrap.servers, advertised.listeners, both

Thoughts ?

Jonathan Skrzypek


-Original Message-
From: Edoardo Comar [mailto:edoco...@gmail.com]
Sent: 17 May 2018 23:50
To: dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved 
IP addresses

Hi Jonathan,

> A solution might be to expose to users the choice of using hostname or 
> canonical host name on both sides.
> Say having one setting that collapses functionalities from both KIPs 
> (bootstrap expansion + advertised lookup)
> and an additional parameter that defines how the resolution is performed, 
> using getCanonicalHostName() or not.

thanks sounds to me *less* simple than independent config options, sorry.

I would like to say once again that by itself  KIP-302 only speeds up
the client behavior that can happen anyway when the client restarts
multiple times,
as every time there is no guarantee that - in presence of multiple A
DNS records - the same IP is returned. Attempting to use additiona IPs
if the first fail just makes client recovery faster.

cheers
Edo

On 17 May 2018 at 12:12, Skrzypek, Jonathan  wrote:
> Yes, makes sense.
> You mentioned multiple times you see no overlap and no issue with your KIP, 
> and that they solve different use cases.
>
> Appreciate you have an existing use case that would work, but we need to make 
> sure this isn't confusing to users and that any combination will always work, 
> across security protocols.
>
> A solution might be to expose to users the choice of using hostname or 
> canonical host name on both sides.
> Say having one setting that collapses functionalities from both KIPs 
> (bootstrap expan

RE: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved IP addresses

[Skrzypek, Jonathan]

Hi,

As Rajini suggested in the thread for KIP 235 (attached), we could try to have 
an enum that would drive what does the client expands/resolves.

I suggest a client config called client.dns.lookup with different values 
possible :

- no : no dns lookup
- hostnames.only : perform dns lookup on both bootstrap.servers and advertised 
listeners
- canonical.hostnames.only : perform dns lookup on both bootstrap.servers and 
advertised listeners
- bootstrap.hostnames.only : perform dns lookup on bootstrap.servers list and 
expand it
- bootstrap.canonical.hostnames.only : perform dns lookup on bootstrap.servers 
list and expand it
- advertised.listeners.hostnames.only : perform dns lookup on advertised 
listeners
- advertised.listeners.canonical.hostnames.only : perform dns lookup on 
advertised listeners

I realize this is a bit heavy but this gives users the ability to pick and 
choose.
I didn't include a setting to mix hostnames and canonical hostnames as I'm not 
sure there would be a valid use case.

Alternatively, to have less possible values, we could have 2 parameters :

- dns.lookup.type with values : hostname / canonical.host.name
- dns.lookup.behaviour : bootstrap.servers, advertised.listeners, both

Thoughts ?

Jonathan Skrzypek


-Original Message-
From: Edoardo Comar [mailto:edoco...@gmail.com]
Sent: 17 May 2018 23:50
To: dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved 
IP addresses

Hi Jonathan,

> A solution might be to expose to users the choice of using hostname or 
> canonical host name on both sides.
> Say having one setting that collapses functionalities from both KIPs 
> (bootstrap expansion + advertised lookup)
> and an additional parameter that defines how the resolution is performed, 
> using getCanonicalHostName() or not.

thanks sounds to me *less* simple than independent config options, sorry.

I would like to say once again that by itself  KIP-302 only speeds up
the client behavior that can happen anyway when the client restarts
multiple times,
as every time there is no guarantee that - in presence of multiple A
DNS records - the same IP is returned. Attempting to use additiona IPs
if the first fail just makes client recovery faster.

cheers
Edo

On 17 May 2018 at 12:12, Skrzypek, Jonathan <jonathan.skrzy...@gs.com> wrote:
> Yes, makes sense.
> You mentioned multiple times you see no overlap and no issue with your KIP, 
> and that they solve different use cases.
>
> Appreciate you have an existing use case that would work, but we need to make 
> sure this isn't confusing to users and that any combination will always work, 
> across security protocols.
>
> A solution might be to expose to users the choice of using hostname or 
> canonical host name on both sides.
> Say having one setting that collapses functionalities from both KIPs 
> (bootstrap expansion + advertised lookup) and an additional parameter that 
> defines how the resolution is performed, using getCanonicalHostName() or not.
>
> Maybe that gives less flexibility as users wouldn't be able to decide to only 
> perform DNS lookup on bootstrap.servers or on advertised listeners.
> But this would ensure consistency so that a user can decide to use cnames or 
> not (depending on their certificates and Kerberos principals in their 
> environment) and it would work.
>
> Jonathan Skrzypek
>
> -Original Message-
> From: Edoardo Comar [mailto:edoco...@gmail.com]
> Sent: 16 May 2018 21:59
> To: dev@kafka.apache.org
> Subject: Re: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved 
> IP addresses
>
> Hi Jonathan,
> I am afraid that may not work for everybody.
>
> It would not work for us.
> With our current DNS, my Kafka clients are perfectly happy to use any IPs -
> DNS has multiple A records for the 'myhostname.mydomain' used for
> bootstrap and advertised listeners.
> The hosts all serve TLS certificates that include
> 'myhostname.mydomain'  and the clients are happy.
>
> However, applying getCanonicalHostName to those IPs would return
> hostnames that would not match the TLS certificates.
>
> So once again I believe your solution and ours solve different use cases.
>
> cheers
> Edo
>
> On 16 May 2018 at 18:29, Skrzypek, Jonathan <jonathan.skrzy...@gs.com> wrote:
>> I think there are combinations that will break SASL and SSL auth.
>> Could the trick be to have a single parameter that triggers dns resolve both 
>> for bootstrap and advertised listeners, both using getCanonicalHostName() ?
>>
>> Jonathan Skrzypek
>>
>> -Original Message-
>> From: Edoardo Comar [mailto:edoco...@gmail.com]
>> Sent: 16 May 2018 17:03
>> To: dev@kafka.apache.org
>> Subject: Re: [DISCUSS] KIP-302 - Enable Kafka clients t

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Hi,

What would be the next step here ?
I know there's a discussion going on around KIP-302, but I'm also conscious 
that the 2.0.0 deadline for KIPs is tomorrow.
I've opened this KIP in January and discussions have been productive with an 
end solution I had the impression was reasonable, so I am keen to see it make 
it the next release.


Jonathan Skrzypek

-Original Message-
From: Skrzypek, Jonathan [Tech]
Sent: 14 May 2018 13:48
To: dev
Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection

Sure, I modified the KIP to add more details

https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection


Jonathan Skrzypek


-Original Message-
From: Ismael Juma [mailto:ism...@juma.me.uk]
Sent: 14 May 2018 11:53
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Thanks for the KIP, Jonathan. It would be helpful to have more detail on
how SSL authentication could be broken if the new behaviour is the default.
I know this was discussed in the mailing list thread, but it's important to
include it in the KIP since it's the main reason why a new config is needed
(and configs should be avoided whenever we can just do the right thing).

Ismael

On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Hi,
>
> I would like to start a vote for KIP-235
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=FM_uCHnnO2dqxWC0bi7_QOJKfKmQI80-Xduvb-URWOw=RpGkijfK-WHcU0s8ZtMXEkIr69QraJhYKaGSC9V_rnI=
>
> This is a proposition to add an option for reverse dns lookup of
> bootstrap.servers hosts, allowing the use of dns aliases on clusters using
> SASL authentication.
>
>
>
>



Your Personal Data: We may collect and process information about you that may 
be subject to data protection laws. For more information about how we use and 
disclose your personal data, how we protect your information, our legal basis 
to use your information, your rights and who you can contact, please refer to: 
www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>

RE: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved IP addresses

[Skrzypek, Jonathan]

Yes, makes sense.
You mentioned multiple times you see no overlap and no issue with your KIP, and 
that they solve different use cases.

Appreciate you have an existing use case that would work, but we need to make 
sure this isn't confusing to users and that any combination will always work, 
across security protocols.

A solution might be to expose to users the choice of using hostname or 
canonical host name on both sides.
Say having one setting that collapses functionalities from both KIPs (bootstrap 
expansion + advertised lookup) and an additional parameter that defines how the 
resolution is performed, using getCanonicalHostName() or not. 

Maybe that gives less flexibility as users wouldn't be able to decide to only 
perform DNS lookup on bootstrap.servers or on advertised listeners.
But this would ensure consistency so that a user can decide to use cnames or 
not (depending on their certificates and Kerberos principals in their 
environment) and it would work.

Jonathan Skrzypek 

-Original Message-
From: Edoardo Comar [mailto:edoco...@gmail.com] 
Sent: 16 May 2018 21:59
To: dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved 
IP addresses

Hi Jonathan,
I am afraid that may not work for everybody.

It would not work for us.
With our current DNS, my Kafka clients are perfectly happy to use any IPs -
DNS has multiple A records for the 'myhostname.mydomain' used for
bootstrap and advertised listeners.
The hosts all serve TLS certificates that include
'myhostname.mydomain'  and the clients are happy.

However, applying getCanonicalHostName to those IPs would return
hostnames that would not match the TLS certificates.

So once again I believe your solution and ours solve different use cases.

cheers
Edo

On 16 May 2018 at 18:29, Skrzypek, Jonathan <jonathan.skrzy...@gs.com> wrote:
> I think there are combinations that will break SASL and SSL auth.
> Could the trick be to have a single parameter that triggers dns resolve both 
> for bootstrap and advertised listeners, both using getCanonicalHostName() ?
>
> Jonathan Skrzypek
>
> -Original Message-
> From: Edoardo Comar [mailto:edoco...@gmail.com]
> Sent: 16 May 2018 17:03
> To: dev@kafka.apache.org
> Subject: Re: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved 
> IP addresses
>
> Hi Rajini,
>
> In your example KIP-302 would attempt to connect to the first address
> returned, let's say
>
> www.apache.org/195.154.151.36
>
> then, only if that fails, will in turn try the remaining:
>
> www.apache.org/40.79.78.1
> www.apache.org/140.211.11.105
> www.apache.org/2001:bc8:2142:300:0:0:0:0
>
> You're right to say that we expect certificates served by those
> endpoints to be valid for "www.apache.org"
>
> Without KIP-302, only one would be attempted.
> Which is the first one, that can change every time
> (typically changes on every Java process restart,
> but may change also any time InetAddress.getAllByName it's invoked
> depending on the caching).
>
> The behavioral change that KIP-302 may introduce is that in the example above,
> also an IPv6 connection may be attempted after some IPv4 ones.
>
> InetAddress.getAllByName() implementation uses a system property
> "java.net.preferIPv6Addresses"
> to decide which type of address to return first (default is still IPv4
> in java 10)
>
> We will amend the KIP and PR so that the loop only uses IPs of the
> same type as the first one returned.
>
> A part from the above, KIP 302 does not seem to change any existing
> client behaviour, as any one of multiple IP addresses (of a given
> v4/v6 type) can currently be picked.
> We're happy however to keep the looping behavior optional with the
> discussed config property, disabled by default.
>
> As for KIP-235 that may introduce new hostnames in the bootstrap list
> (the current PR rewrites the bootstrap list)
> and we fail to see the conflict with KIP-302, whatever the set of
> configs chosen.
>
> We'd be happy to try understand what we are missing in a KIP call :-)
>
> cheers
> Edo
>
> On 15 May 2018 at 16:58, Rajini Sivaram <rajinisiva...@gmail.com> wrote:
>> Hi Edo,
>>
>> I agree that KIP-235 and KIP-302 address different scenarios. And I agree
>> that each one is not sufficient in itself to address both the scenarios.
>> But I also think that they conflict and hence they need to be looked at
>> together and perhaps use a single config.
>>
>> As an example:
>>
>> If I run:
>>
>> for (InetAddress address : InetAddress.getAllByName("www.apache.org")) {
>> System.out.printf("HostName %s canonicalHostName %s IP %s\n",
>> address.getHostName(), address.getC

RE: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved IP addresses

[Skrzypek, Jonathan]

 IP returned.
>>
>> HTH,
>> Edo
>>
>> On 14 May 2018 at 16:23, Rajini Sivaram <rajinisiva...@gmail.com> wrote:
>> > Hi Edo,
>> >
>> > Thanks for the KIP. I think it will be good to include a diagram to make
>> it
>> > easier to distinguish this scenario from that of KIP-235 without reading
>> > the PR.
>> >
>> > It may be worth considering if KIP-235 and this KIP could use a single
>> > config name with different values instead of two boolean configs:
>> >
>> > bootstrap.reverse.dns.lookup = true/false
>> > enable.all.dns.ips = true/false
>> >
>> > Not all values of (bootstrap.reverse.dns.lookup, enable.all.dns.ips) seem
>> > to make sense. And not all scenarios are handled. Even if we use multiple
>> > configs, it seems to me that we may want to name them differently.
>> >
>> > The possible combinations are:
>> >
>> > 1) Bootstrap
>> >
>> > a) No lookup
>> > b) Use all DNS entries with host name
>> > c) Use all DNS entries with canonical host name
>> >
>> > 2) Advertised listeners
>> >
>> > a) No lookup
>> > b) Use all DNS entries with host name
>> > c) Use all DNS entries with canonical host name
>> >
>> > The combinations that are enabled by the two boolean configs (
>> > bootstrap.reverse.dns.lookup, enable.all.dns.ips)  are:
>> >
>> >- (false, false) => (1a, 2a)
>> >- (true, false) => (1c, 2a)
>> >- (false, true) => (1b, 2b)
>> >- (true, true) => (??, 2b)
>> >
>> > It will be good if we can clearly identify which combinations we want to
>> > support and the scenarios where they may be useful. Perhaps (1a, 2a),
>> (1c,
>> > 2a), (1b, 2b) and (1c, 2c) are useful?
>> >
>> >
>> > On Mon, May 14, 2018 at 2:58 PM, Skrzypek, Jonathan <
>> > jonathan.skrzy...@gs.com> wrote:
>> >
>> >> Ah, apologies didn't see there was already a decent amount of discussion
>> >> on this in the PR.
>> >>
>> >> This kind of sounds related to the environment you're running to me.
>> >> What is the rationale behind using the advertised listeners to do your
>> >> load balancing advertisement rather than a top level alias that has
>> >> everything ?
>> >>
>> >> It sounds like in your case there is a mismatch between
>> bootstrap.servers
>> >> and advertised.listeners, and you want advertised.listeners to take
>> >> precedence and have the client iterate over what is returned by the
>> broker.
>> >> So the extra parameter doesn't only have to do with DNS but it's also
>> >> appending from the broker, maybe the parameter name should reflect this
>> ?
>> >>
>> >> Jonathan Skrzypek
>> >>
>> >>
>> >> -Original Message-
>> >> From: Skrzypek, Jonathan [Tech]
>> >> Sent: 14 May 2018 14:46
>> >> To: dev@kafka.apache.org
>> >> Subject: RE: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS
>> >> resolved IP addresses
>> >>
>> >> Hi,
>> >>
>> >> I see you noted the similarities with KIP-235.
>> >> But KIP-235 might also solve what this KIP is trying to achieve.
>> >>
>> >> When parsing bootstrap.servers, KIP-235 has the client add all
>> underlying
>> >> hostnames and IPs.
>> >> And this happens before hitting the NetworkClient.
>> >>
>> >> So to me the client will try every single endpoint behind any
>> >> bootstrap.servers record.
>> >>
>> >> See 
>> >> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_kafka_pull_4485_commits_24757eb7b0=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=_ud9m_JZJ87C7eGsKcmzgJgDpNQDIIv5R4i_7VlhkLc=TqaiA9uW_myYO6FN-gKPfPlioxZR6DhnlBTpEj5M2aQ=
>> >>  
>> >> 6bcf8c7d7649c85232c52b5d54f0e4#diff-89ef153462e64c250a21bd324ae1a851
>> >> which calls getAllByName like you suggested
>> >>
>> >> Jonathan Skrzypek
>> >>
>> >>
>> >> -Original Message-
>> >> From: Edoardo Comar [mailto:edoco...@gmail.com]
>> >> Sent: 14 May 2018 14:17
>> >> To: dev@kafka.apache.org
>> >> Subject: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS
>> resolved

RE: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved IP addresses

[Skrzypek, Jonathan]

Ah, apologies didn't see there was already a decent amount of discussion on 
this in the PR.

This kind of sounds related to the environment you're running to me.
What is the rationale behind using the advertised listeners to do your load 
balancing advertisement rather than a top level alias that has everything ?

It sounds like in your case there is a mismatch between bootstrap.servers and 
advertised.listeners, and you want advertised.listeners to take precedence and 
have the client iterate over what is returned by the broker.
So the extra parameter doesn't only have to do with DNS but it's also appending 
from the broker, maybe the parameter name should reflect this ?

Jonathan Skrzypek 


-Original Message-
From: Skrzypek, Jonathan [Tech] 
Sent: 14 May 2018 14:46
To: dev@kafka.apache.org
Subject: RE: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved 
IP addresses

Hi,

I see you noted the similarities with KIP-235.
But KIP-235 might also solve what this KIP is trying to achieve.

When parsing bootstrap.servers, KIP-235 has the client add all underlying 
hostnames and IPs.
And this happens before hitting the NetworkClient.

So to me the client will try every single endpoint behind any bootstrap.servers 
record.

See 
https://github.com/apache/kafka/pull/4485/commits/24757eb7b06bcf8c7d7649c85232c52b5d54f0e4#diff-89ef153462e64c250a21bd324ae1a851
which calls getAllByName like you suggested

Jonathan Skrzypek 


-Original Message-
From: Edoardo Comar [mailto:edoco...@gmail.com] 
Sent: 14 May 2018 14:17
To: dev@kafka.apache.org
Subject: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved IP 
addresses

Hi all,

We just opened a KIP to add support for the client to use all IPs returned
by DNS for the brokers

The details are here -

https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D302-2B-2D-2BEnable-2BKafka-2Bclients-2Bto-2Buse-2Ball-2BDNS-2Bresolved-2BIP-2Baddresses=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=EJafFl1clRyolgtcu2uCc4_cIOJnlxb1r1n-D2Dti4k=C-UZ6KUG7JFiPD_CnHczDOVqH9-XC5f_OFkw4BTNrI4=
 

The JIRA and provisional PR  (where the discussion lead to the creation of
this KIP) are :

https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_KAFKA-2D6863=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=EJafFl1clRyolgtcu2uCc4_cIOJnlxb1r1n-D2Dti4k=3Puqs5iYoPsw6hARQr6gvokdFE-H5USMiNVGOUtNkJI=
 

https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_kafka_pull_4987=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=EJafFl1clRyolgtcu2uCc4_cIOJnlxb1r1n-D2Dti4k=Hqn5dOgQy4-MHTIJLE49O8bNomry3SoGq9OVoHU-CRA=
 

Looking forward to the community's feedback.
It would be amazing to have it voted by May 22nd :-) :-)

Edoardo & Mickael

RE: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved IP addresses

[Skrzypek, Jonathan]

Hi,

I see you noted the similarities with KIP-235.
But KIP-235 might also solve what this KIP is trying to achieve.

When parsing bootstrap.servers, KIP-235 has the client add all underlying 
hostnames and IPs.
And this happens before hitting the NetworkClient.

So to me the client will try every single endpoint behind any bootstrap.servers 
record.

See 
https://github.com/apache/kafka/pull/4485/commits/24757eb7b06bcf8c7d7649c85232c52b5d54f0e4#diff-89ef153462e64c250a21bd324ae1a851
which calls getAllByName like you suggested

Jonathan Skrzypek 


-Original Message-
From: Edoardo Comar [mailto:edoco...@gmail.com] 
Sent: 14 May 2018 14:17
To: dev@kafka.apache.org
Subject: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved IP 
addresses

Hi all,

We just opened a KIP to add support for the client to use all IPs returned
by DNS for the brokers

The details are here -

https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D302-2B-2D-2BEnable-2BKafka-2Bclients-2Bto-2Buse-2Ball-2BDNS-2Bresolved-2BIP-2Baddresses=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=EJafFl1clRyolgtcu2uCc4_cIOJnlxb1r1n-D2Dti4k=C-UZ6KUG7JFiPD_CnHczDOVqH9-XC5f_OFkw4BTNrI4=
 

The JIRA and provisional PR  (where the discussion lead to the creation of
this KIP) are :

https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_KAFKA-2D6863=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=EJafFl1clRyolgtcu2uCc4_cIOJnlxb1r1n-D2Dti4k=3Puqs5iYoPsw6hARQr6gvokdFE-H5USMiNVGOUtNkJI=
 

https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_kafka_pull_4987=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=EJafFl1clRyolgtcu2uCc4_cIOJnlxb1r1n-D2Dti4k=Hqn5dOgQy4-MHTIJLE49O8bNomry3SoGq9OVoHU-CRA=
 

Looking forward to the community's feedback.
It would be amazing to have it voted by May 22nd :-) :-)

Edoardo & Mickael

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Sure, I modified the KIP to add more details 

https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection


Jonathan Skrzypek 


-Original Message-
From: Ismael Juma [mailto:ism...@juma.me.uk] 
Sent: 14 May 2018 11:53
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Thanks for the KIP, Jonathan. It would be helpful to have more detail on
how SSL authentication could be broken if the new behaviour is the default.
I know this was discussed in the mailing list thread, but it's important to
include it in the KIP since it's the main reason why a new config is needed
(and configs should be avoided whenever we can just do the right thing).

Ismael

On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Hi,
>
> I would like to start a vote for KIP-235
>
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=FM_uCHnnO2dqxWC0bi7_QOJKfKmQI80-Xduvb-URWOw=RpGkijfK-WHcU0s8ZtMXEkIr69QraJhYKaGSC9V_rnI=
>  
>
> This is a proposition to add an option for reverse dns lookup of
> bootstrap.servers hosts, allowing the use of dns aliases on clusters using
> SASL authentication.
>
>
>
>

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Up :)
Anyone for a binding vote here ?

Jonathan Skrzypek 

-Original Message-
From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] 
Sent: 10 May 2018 13:17
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Thanks Jonathan. You have binding votes from me and Gwen. One more binding
vote is required for this KIP to be approved.

On Thu, May 10, 2018 at 1:14 PM, Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Hi,
>
> Have implemented the changes discussed.
> bootstrap.reverse.dns.lookup is disabled by default.
> When enabled, the client will perform reverse dns lookup regardless of the
> security protocol used.
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_kafka_pull_4485=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=X8udiS6RLS6dhJElpufCtnaJoeGWVp7TAjcW1o7HYRI=x8aeZlBx-fTv7gYq8qnfX1I3_rQC8-1b4lBUn36b2nU=
>  
>
>
> Jonathan Skrzypek
>
>
> -----Original Message-
> From: Skrzypek, Jonathan [Tech]
> Sent: 01 May 2018 17:17
> To: dev
> Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection
>
> Oops, yes indeed that makes sense, got confused between SASL_SSL and SSL.
>
> Updated the KIP.
>
>
>
> Jonathan Skrzypek
>
>
> -Original Message-
> From: Rajini Sivaram [mailto:rajinisiva...@gmail.com]
> Sent: 01 May 2018 11:08
> To: dev
> Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection
>
> Jonathan,
>
> Not doing the reverse lookup for SASL_SSL limits the usability of this KIP
> since it can no longer be used in a secure environment where Kerberos is
> used with TLS. Perhaps the best option is to do the lookup if the option is
> explicitly enabled regardless of what the security protocol is. If there is
> a SSL handshake failure with this option enabled, the error message can be
> updated to indicate that it could be because a reverse lookup was used. Can
> you state in the KIP that the default value of
> bootstrap.reverse.dns.lookup will
> be false and hence there is no backwards compatibility issue.
>
> On Mon, Apr 30, 2018 at 1:41 PM, Skrzypek, Jonathan <
> jonathan.skrzy...@gs.com> wrote:
>
> > Thanks for your comments.
> > Have updated the KIP.
> >
> > I agree SSL and SASL_SSL will face similar issues and should behave the
> > same.
> > Thinking about this further,  I'm wondering whether setting
> > bootstrap.reverse.dns.lookup to true whilst using any of those protocols
> > should throw a critical error and stop, or at least log a warning stating
> > that the lookup won't be performed.
> > This sounds better than silently ignoring and leave users with the
> > impression they can use SSL and bootstrap server aliases.
> > Abruptly stopping the client sounds a bit extreme so I'm leaning towards
> a
> > warning.
> >
> > Thoughts ?
> >
> > I'm not sure about checking whether the list has IP addresses.
> > There could be cases where the list has a mix of FQDNs and IPs, so I
> would
> > rather perform the lookup regardless of the case when the parameter is
> > enabled.
> >
> > On the security aspects, I am by no means a security or SASL expert so
> > commented the KIP with what I believe to be the case.
> >
> > Jonathan Skrzypek
> >
> > -Original Message-
> > From: Rajini Sivaram [mailto:rajinisiva...@gmail.com]
> > Sent: 29 April 2018 15:38
> > To: dev
> > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection
> >
> > Hi Jonathan,
> >
> > Thanks for the KIP.
> >
> > +1 (binding) with a couple comments below to add more detail to the KIP.
> >
> >1. Make it clearer when the new option `bootstrap.reverse.dns.lookup`
> >should or shouldn't be used. Document security considerations as well
> as
> >other system configurations that may have an impact.
> >2. The PR currently disables the new code path for security protocol
> >SSL. But this doesn't address SASL_SSL which could also do hostname
> >verification. Do we even want to do reverse lookup if bootstrap list
> >contains IP addresses? If we do, we should handle SSL and SASL_SSL in
> > the
> >same way (which basically means handling all protocols in the same
> way).
> >
> >
> > On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek <
> > steph...@simplemachines.com.au> wrote:
> >
> > > +1 as a user
> > > BUT
> > >
> > > I am no security expert. I have experienced that issue while setting
> up a
> > > cluster and whil

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Hi,

Have implemented the changes discussed.
bootstrap.reverse.dns.lookup is disabled by default.
When enabled, the client will perform reverse dns lookup regardless of the 
security protocol used.

https://github.com/apache/kafka/pull/4485


Jonathan Skrzypek 


-Original Message-
From: Skrzypek, Jonathan [Tech] 
Sent: 01 May 2018 17:17
To: dev
Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection

Oops, yes indeed that makes sense, got confused between SASL_SSL and SSL.

Updated the KIP.



Jonathan Skrzypek 


-Original Message-
From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] 
Sent: 01 May 2018 11:08
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Jonathan,

Not doing the reverse lookup for SASL_SSL limits the usability of this KIP
since it can no longer be used in a secure environment where Kerberos is
used with TLS. Perhaps the best option is to do the lookup if the option is
explicitly enabled regardless of what the security protocol is. If there is
a SSL handshake failure with this option enabled, the error message can be
updated to indicate that it could be because a reverse lookup was used. Can
you state in the KIP that the default value of
bootstrap.reverse.dns.lookup will
be false and hence there is no backwards compatibility issue.

On Mon, Apr 30, 2018 at 1:41 PM, Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Thanks for your comments.
> Have updated the KIP.
>
> I agree SSL and SASL_SSL will face similar issues and should behave the
> same.
> Thinking about this further,  I'm wondering whether setting
> bootstrap.reverse.dns.lookup to true whilst using any of those protocols
> should throw a critical error and stop, or at least log a warning stating
> that the lookup won't be performed.
> This sounds better than silently ignoring and leave users with the
> impression they can use SSL and bootstrap server aliases.
> Abruptly stopping the client sounds a bit extreme so I'm leaning towards a
> warning.
>
> Thoughts ?
>
> I'm not sure about checking whether the list has IP addresses.
> There could be cases where the list has a mix of FQDNs and IPs, so I would
> rather perform the lookup regardless of the case when the parameter is
> enabled.
>
> On the security aspects, I am by no means a security or SASL expert so
> commented the KIP with what I believe to be the case.
>
> Jonathan Skrzypek
>
> -Original Message-
> From: Rajini Sivaram [mailto:rajinisiva...@gmail.com]
> Sent: 29 April 2018 15:38
> To: dev
> Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection
>
> Hi Jonathan,
>
> Thanks for the KIP.
>
> +1 (binding) with a couple comments below to add more detail to the KIP.
>
>1. Make it clearer when the new option `bootstrap.reverse.dns.lookup`
>should or shouldn't be used. Document security considerations as well as
>other system configurations that may have an impact.
>2. The PR currently disables the new code path for security protocol
>SSL. But this doesn't address SASL_SSL which could also do hostname
>verification. Do we even want to do reverse lookup if bootstrap list
>contains IP addresses? If we do, we should handle SSL and SASL_SSL in
> the
>same way (which basically means handling all protocols in the same way).
>
>
> On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek <
> steph...@simplemachines.com.au> wrote:
>
> > +1 as a user
> > BUT
> >
> > I am no security expert. I have experienced that issue while setting up a
> > cluster and while I would have liked a feature like that (I opened a JIRA
> > at the time), I always guessed that the reason was because of some
> security
> > protection.
> >
> > Now from a setup point of view this helps a ton, but I really want to
> make
> > sure this doesn't introduce any security risk by relaxing a constraint.
> >
> > Is there a security assessment possible by someone accredited ?
> >
> > Sorry for raising these questions just want to make sure it's addressed
> >
> > On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote:
> >
> > > +1 (binding)
> > >
> > > This KIP is quite vital to running secured clusters in cloud/container
> > > environment. Would love to see more support from the community to this
> > (or
> > > feedback...)
> > >
> > > Gwen
> > >
> > > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan <
> > > jonathan.skrzy...@gs.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > Could anyone take a look ?
> > > > Does the proposal sound reasonable

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Oops, yes indeed that makes sense, got confused between SASL_SSL and SSL.

Updated the KIP.



Jonathan Skrzypek 


-Original Message-
From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] 
Sent: 01 May 2018 11:08
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Jonathan,

Not doing the reverse lookup for SASL_SSL limits the usability of this KIP
since it can no longer be used in a secure environment where Kerberos is
used with TLS. Perhaps the best option is to do the lookup if the option is
explicitly enabled regardless of what the security protocol is. If there is
a SSL handshake failure with this option enabled, the error message can be
updated to indicate that it could be because a reverse lookup was used. Can
you state in the KIP that the default value of
bootstrap.reverse.dns.lookup will
be false and hence there is no backwards compatibility issue.

On Mon, Apr 30, 2018 at 1:41 PM, Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Thanks for your comments.
> Have updated the KIP.
>
> I agree SSL and SASL_SSL will face similar issues and should behave the
> same.
> Thinking about this further,  I'm wondering whether setting
> bootstrap.reverse.dns.lookup to true whilst using any of those protocols
> should throw a critical error and stop, or at least log a warning stating
> that the lookup won't be performed.
> This sounds better than silently ignoring and leave users with the
> impression they can use SSL and bootstrap server aliases.
> Abruptly stopping the client sounds a bit extreme so I'm leaning towards a
> warning.
>
> Thoughts ?
>
> I'm not sure about checking whether the list has IP addresses.
> There could be cases where the list has a mix of FQDNs and IPs, so I would
> rather perform the lookup regardless of the case when the parameter is
> enabled.
>
> On the security aspects, I am by no means a security or SASL expert so
> commented the KIP with what I believe to be the case.
>
> Jonathan Skrzypek
>
> -Original Message-
> From: Rajini Sivaram [mailto:rajinisiva...@gmail.com]
> Sent: 29 April 2018 15:38
> To: dev
> Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection
>
> Hi Jonathan,
>
> Thanks for the KIP.
>
> +1 (binding) with a couple comments below to add more detail to the KIP.
>
>1. Make it clearer when the new option `bootstrap.reverse.dns.lookup`
>should or shouldn't be used. Document security considerations as well as
>other system configurations that may have an impact.
>2. The PR currently disables the new code path for security protocol
>SSL. But this doesn't address SASL_SSL which could also do hostname
>verification. Do we even want to do reverse lookup if bootstrap list
>contains IP addresses? If we do, we should handle SSL and SASL_SSL in
> the
>same way (which basically means handling all protocols in the same way).
>
>
> On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek <
> steph...@simplemachines.com.au> wrote:
>
> > +1 as a user
> > BUT
> >
> > I am no security expert. I have experienced that issue while setting up a
> > cluster and while I would have liked a feature like that (I opened a JIRA
> > at the time), I always guessed that the reason was because of some
> security
> > protection.
> >
> > Now from a setup point of view this helps a ton, but I really want to
> make
> > sure this doesn't introduce any security risk by relaxing a constraint.
> >
> > Is there a security assessment possible by someone accredited ?
> >
> > Sorry for raising these questions just want to make sure it's addressed
> >
> > On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote:
> >
> > > +1 (binding)
> > >
> > > This KIP is quite vital to running secured clusters in cloud/container
> > > environment. Would love to see more support from the community to this
> > (or
> > > feedback...)
> > >
> > > Gwen
> > >
> > > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan <
> > > jonathan.skrzy...@gs.com> wrote:
> > >
> > > > Hi,
> > > >
> > > > Could anyone take a look ?
> > > > Does the proposal sound reasonable ?
> > > >
> > > > Jonathan Skrzypek
> > > >
> > > >
> > > > From: Skrzypek, Jonathan [Tech]
> > > > Sent: 23 March 2018 19:05
> > > > To: dev@kafka.apache.org
> > > > Subject: [VOTE] KIP-235 Add DNS alias support for secured connection
> > > >
> > > > Hi,
> > > >
> > > > I would like

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Thanks for your comments.
Have updated the KIP.

I agree SSL and SASL_SSL will face similar issues and should behave the same.
Thinking about this further,  I'm wondering whether setting 
bootstrap.reverse.dns.lookup to true whilst using any of those protocols should 
throw a critical error and stop, or at least log a warning stating that the 
lookup won't be performed.
This sounds better than silently ignoring and leave users with the impression 
they can use SSL and bootstrap server aliases.
Abruptly stopping the client sounds a bit extreme so I'm leaning towards a 
warning.

Thoughts ?

I'm not sure about checking whether the list has IP addresses.
There could be cases where the list has a mix of FQDNs and IPs, so I would 
rather perform the lookup regardless of the case when the parameter is enabled.

On the security aspects, I am by no means a security or SASL expert so 
commented the KIP with what I believe to be the case.

Jonathan Skrzypek 

-Original Message-
From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] 
Sent: 29 April 2018 15:38
To: dev
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Hi Jonathan,

Thanks for the KIP.

+1 (binding) with a couple comments below to add more detail to the KIP.

   1. Make it clearer when the new option `bootstrap.reverse.dns.lookup`
   should or shouldn't be used. Document security considerations as well as
   other system configurations that may have an impact.
   2. The PR currently disables the new code path for security protocol
   SSL. But this doesn't address SASL_SSL which could also do hostname
   verification. Do we even want to do reverse lookup if bootstrap list
   contains IP addresses? If we do, we should handle SSL and SASL_SSL in the
   same way (which basically means handling all protocols in the same way).


On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek <
steph...@simplemachines.com.au> wrote:

> +1 as a user
> BUT
>
> I am no security expert. I have experienced that issue while setting up a
> cluster and while I would have liked a feature like that (I opened a JIRA
> at the time), I always guessed that the reason was because of some security
> protection.
>
> Now from a setup point of view this helps a ton, but I really want to make
> sure this doesn't introduce any security risk by relaxing a constraint.
>
> Is there a security assessment possible by someone accredited ?
>
> Sorry for raising these questions just want to make sure it's addressed
>
> On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote:
>
> > +1 (binding)
> >
> > This KIP is quite vital to running secured clusters in cloud/container
> > environment. Would love to see more support from the community to this
> (or
> > feedback...)
> >
> > Gwen
> >
> > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan <
> > jonathan.skrzy...@gs.com> wrote:
> >
> > > Hi,
> > >
> > > Could anyone take a look ?
> > > Does the proposal sound reasonable ?
> > >
> > > Jonathan Skrzypek
> > >
> > >
> > > From: Skrzypek, Jonathan [Tech]
> > > Sent: 23 March 2018 19:05
> > > To: dev@kafka.apache.org
> > > Subject: [VOTE] KIP-235 Add DNS alias support for secured connection
> > >
> > > Hi,
> > >
> > > I would like to start a vote for KIP-235
> > >
> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=2JuW6J_xPCRzueIjC4B6j1v6T9aXMR5k9Nh8oMBVLd0=SJsuC6ROGH5VTVxQktBbB7xKK4zFDVRkQSUtZbLMfZ4=
> > >  
> > > 235%3A+Add+DNS+alias+support+for+secured+connection
> > >
> > > This is a proposition to add an option for reverse dns lookup of
> > > bootstrap.servers hosts, allowing the use of dns aliases on clusters
> > using
> > > SASL authentication.
> > >
> > >
> > >
> > >
> >
> >
> > --
> > *Gwen Shapira*
> > Product Manager | Confluent
> > 650.450.2760 | @gwenshap
> > Follow us: Twitter 
> > <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_ConfluentInc=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=2JuW6J_xPCRzueIjC4B6j1v6T9aXMR5k9Nh8oMBVLd0=hWdKCJsOe7LyDCcoJqmjOkgepGk7762xXxOZgQwHAm0=
> >  > | blog
> > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.confluent.io_blog=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=2JuW6J_xPCRzueIjC4B6j1v6T9aXMR5k9Nh8oMBVLd0=Y_WMfuQJKoXlE3I25NKs8d4TefgB8OlvO8lDGAhEr7Q=
> >  >
> >
>

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

I have updated the KIP with more details, thanks.


Jonathan Skrzypek 

-Original Message-
From: Ted Yu [mailto:yuzhih...@gmail.com] 
Sent: 16 April 2018 16:02
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection

Looks good to me.

BTW KAFKA-6195 contains more technical details than the KIP. See if you can
enrich the Motivation section with some of the details.

Thanks

On Fri, Mar 23, 2018 at 12:05 PM, Skrzypek, Jonathan <
jonathan.skrzy...@gs.com> wrote:

> Hi,
>
> I would like to start a vote for KIP-235
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=z4z9og6UZJl3q8DYOzkpMV6iKc8Je2PFuG1jSKxWVcA=xDIuXjkyb0Tnz2Hwx8P5JzEK8B5NrFpF1U5uYs_rxck=
>  
> 235%3A+Add+DNS+alias+support+for+secured+connection
>
> This is a proposition to add an option for reverse dns lookup of
> bootstrap.servers hosts, allowing the use of dns aliases on clusters using
> SASL authentication.
>
>
>
>

RE: [VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Hi,

Could anyone take a look ?
Does the proposal sound reasonable ?

Jonathan Skrzypek


From: Skrzypek, Jonathan [Tech]
Sent: 23 March 2018 19:05
To: dev@kafka.apache.org
Subject: [VOTE] KIP-235 Add DNS alias support for secured connection

Hi,

I would like to start a vote for KIP-235

https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection

This is a proposition to add an option for reverse dns lookup of 
bootstrap.servers hosts, allowing the use of dns aliases on clusters using SASL 
authentication.

[VOTE] KIP-235 Add DNS alias support for secured connection

[Skrzypek, Jonathan]

Hi,

I would like to start a vote for KIP-235

https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection

This is a proposition to add an option for reverse dns lookup of 
bootstrap.servers hosts, allowing the use of dns aliases on clusters using SASL 
authentication.

RE: [DISCUSS]KIP-235 DNS alias and secured connections

[Skrzypek, Jonathan]

Hi,

There has been further discussion on the ticket and it seems having an 
additional option to trigger the DNS lookup behaviour would be the best 
approach.

https://issues.apache.org/jira/browse/KAFKA-6195

Updated the KIP 
https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection

Would value your opinions.

Jonathan Skrzypek 


-Original Message-
From: Skrzypek, Jonathan [Tech] 
Sent: 22 February 2018 16:21
To: 'dev@kafka.apache.org'
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi,

Could anyone take a look at the pull request, so that if ok I can start a VOTE 
thread ?

Regards,

Jonathan Skrzypek 

-Original Message-
From: Skrzypek, Jonathan [Tech]
Sent: 09 February 2018 13:57
To: 'dev@kafka.apache.org'
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi,

I have raised a PR https://github.com/apache/kafka/pull/4485 with suggested 
code changes.
There are however reported failures, don't understand what's the issue since 
tests are passing.
Any ideas ?


Jonathan Skrzypek 

-Original Message-
From: Skrzypek, Jonathan [Tech]
Sent: 29 January 2018 16:51
To: dev@kafka.apache.org
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi,

Yes I believe this might address what you're seeing as well.

Jonathan Skrzypek
Middleware Engineering
Messaging Engineering
Goldman Sachs International

-Original Message-
From: Stephane Maarek [mailto:steph...@simplemachines.com.au]
Sent: 06 December 2017 10:43
To: dev@kafka.apache.org
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi Jonathan

I think this will be very useful. I reported something similar here :
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_KAFKA-2D4781=DwIFaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=3R1dVnw5Ttyz1YbVIMSRNMz2gjWsQmbTNXl63kwXvKo=MywacMwh18eVH_NvLY6Ffhc3CKMh43Tai3WMUf9PsjM=
 

Please confirm your kip will address it ?

Stéphane

On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" <jonathan.skrzy...@gs.com>
wrote:

> True, amended the KIP, thanks.
>
> Jonathan Skrzypek
> Middleware Engineering
> Messaging Engineering
> Goldman Sachs International
>
>
> -Original Message-
> From: Tom Bentley [mailto:t.j.bent...@gmail.com]
> Sent: 05 December 2017 18:19
> To: dev@kafka.apache.org
> Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections
>
> Hi Jonathan,
>
> It might be worth mentioning in the KIP that this is necessary only 
> for
> *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it 
> makes sensem, but I was confused up until that point.
>
> Cheers,
>
> Tom
>
> On 5 December 2017 at 17:53, Skrzypek, Jonathan 
> <jonathan.skrzy...@gs.com>
> wrote:
>
> > Hi,
> >
> > I would like to discuss a KIP I've submitted :
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.or
> > g_
> > confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb
> > 2I
> > E5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=GWK
> > XA
> > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc=fv5WAkOgLhVOmF4vhEzq_39CWnE
> > o0 q0AJbqhAuDFDT0=
> > 235%3A+Add+DNS+alias+support+for+secured+connection
> >
> > Feedback and suggestions welcome !
> >
> > Regards,
> > Jonathan Skrzypek
> > Middleware Engineering
> > Messaging Engineering
> > Goldman Sachs International
> > Christchurch Court - 10-15 Newgate Street London EC1A 7HD
> > Tel: +442070512977
> >
> >
>

RE: [VOTE] KIP-186: Increase offsets retention default to 7 days

[Skrzypek, Jonathan]

+1 (non-binding)

Jonathan Skrzypek 


-Original Message-
From: Bill Bejeck [mailto:bbej...@gmail.com] 
Sent: 06 March 2018 22:03
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-186: Increase offsets retention default to 7 days

+1

Thanks,
Bill

On Tue, Mar 6, 2018 at 2:27 PM, Matthias J. Sax 
wrote:

> +1 (binding)
>
> On 3/6/18 10:43 AM, Vahid S Hashemian wrote:
> > +1 (non-binding)
> >
> > Thanks Ewen.
> >
> > --Vahid
> >
> >
> >
> > From:   Ewen Cheslack-Postava 
> > To: dev@kafka.apache.org
> > Date:   03/05/2018 11:35 AM
> > Subject:[VOTE] KIP-186: Increase offsets retention default to 7
> > days
> >
> >
> >
> > I'd like to kick off voting for KIP-186:
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.
> apache.org_confluence_display_KAFKA_KIP-2D186-253A-2BIncrease-2Boffset
> s- 2Bretention-2Bdefault-2Bto-2B7-2Bdays=DwIBaQ=jf_
> iaSHvJObTbx-siA1ZOg=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-kjJc7uSVcviKUc=
> 94NjYuB95gNgt4OKhGIgk8nN3CXB2PkCbXfEAgh83zs=YIsNYOzi-
> C5mYB9mQwkgv4g86S6cMDzHPUUkvmTJ4A8=
> >
> >
> > This is the trivial fix that people in the DISCUSS thread were in 
> > favor of.
> > There are some ideas for further refinements, but I think we can 
> > follow
> up
> > with those in subsequent KIPs, see the discussion thread for details.
> Also
> > note this is related, but complementary, to 
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.
> apache.org_confluence_display_KAFKA_KIP-2D211-253A-2BRevise-
> 2BExpiration-2BSemantics-2Bof-2BConsumer-2BGroup-2BOffsets&
> d=DwIBaQ=jf_iaSHvJObTbx-siA1ZOg=Q_itwloTQj3_xUKl7Nzswo6KE4Nj-
> kjJc7uSVcviKUc=94NjYuB95gNgt4OKhGIgk8nN3CXB2PkCbXfEAgh83zs=
> Te8RdmUdMzc8i69s4aS5UxkcW7KBmSdYk4PYgML2jfc=
> >
> > .
> >
> > And of course +1 (binding) from me.
> >
> > Thanks,
> > Ewen
> >
> >
> >
> >
> >
>
>

RE: [DISCUSS]KIP-235 DNS alias and secured connections

[Skrzypek, Jonathan]

Hi,

Could anyone take a look at the pull request, so that if ok I can start a VOTE 
thread ?

Regards,

Jonathan Skrzypek 

-Original Message-
From: Skrzypek, Jonathan [Tech] 
Sent: 09 February 2018 13:57
To: 'dev@kafka.apache.org'
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi,

I have raised a PR https://github.com/apache/kafka/pull/4485 with suggested 
code changes.
There are however reported failures, don't understand what's the issue since 
tests are passing.
Any ideas ?


Jonathan Skrzypek 

-Original Message-
From: Skrzypek, Jonathan [Tech]
Sent: 29 January 2018 16:51
To: dev@kafka.apache.org
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi,

Yes I believe this might address what you're seeing as well.

Jonathan Skrzypek
Middleware Engineering
Messaging Engineering
Goldman Sachs International

-Original Message-
From: Stephane Maarek [mailto:steph...@simplemachines.com.au]
Sent: 06 December 2017 10:43
To: dev@kafka.apache.org
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi Jonathan

I think this will be very useful. I reported something similar here :
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_KAFKA-2D4781=DwIFaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=3R1dVnw5Ttyz1YbVIMSRNMz2gjWsQmbTNXl63kwXvKo=MywacMwh18eVH_NvLY6Ffhc3CKMh43Tai3WMUf9PsjM=
 

Please confirm your kip will address it ?

Stéphane

On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" <jonathan.skrzy...@gs.com>
wrote:

> True, amended the KIP, thanks.
>
> Jonathan Skrzypek
> Middleware Engineering
> Messaging Engineering
> Goldman Sachs International
>
>
> -Original Message-
> From: Tom Bentley [mailto:t.j.bent...@gmail.com]
> Sent: 05 December 2017 18:19
> To: dev@kafka.apache.org
> Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections
>
> Hi Jonathan,
>
> It might be worth mentioning in the KIP that this is necessary only 
> for
> *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it 
> makes sensem, but I was confused up until that point.
>
> Cheers,
>
> Tom
>
> On 5 December 2017 at 17:53, Skrzypek, Jonathan 
> <jonathan.skrzy...@gs.com>
> wrote:
>
> > Hi,
> >
> > I would like to discuss a KIP I've submitted :
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.or
> > g_
> > confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb
> > 2I
> > E5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=GWK
> > XA
> > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc=fv5WAkOgLhVOmF4vhEzq_39CWnE
> > o0 q0AJbqhAuDFDT0=
> > 235%3A+Add+DNS+alias+support+for+secured+connection
> >
> > Feedback and suggestions welcome !
> >
> > Regards,
> > Jonathan Skrzypek
> > Middleware Engineering
> > Messaging Engineering
> > Goldman Sachs International
> > Christchurch Court - 10-15 Newgate Street London EC1A 7HD
> > Tel: +442070512977
> >
> >
>

RE: [DISCUSS]KIP-235 DNS alias and secured connections

[Skrzypek, Jonathan]

Hi,

I have raised a PR https://github.com/apache/kafka/pull/4485 with suggested 
code changes.
There are however reported failures, don't understand what's the issue since 
tests are passing.
Any ideas ?


Jonathan Skrzypek 

-Original Message-
From: Skrzypek, Jonathan [Tech] 
Sent: 29 January 2018 16:51
To: dev@kafka.apache.org
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi,

Yes I believe this might address what you're seeing as well.

Jonathan Skrzypek
Middleware Engineering
Messaging Engineering
Goldman Sachs International

-Original Message-
From: Stephane Maarek [mailto:steph...@simplemachines.com.au]
Sent: 06 December 2017 10:43
To: dev@kafka.apache.org
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi Jonathan

I think this will be very useful. I reported something similar here :
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_KAFKA-2D4781=DwIFaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=3R1dVnw5Ttyz1YbVIMSRNMz2gjWsQmbTNXl63kwXvKo=MywacMwh18eVH_NvLY6Ffhc3CKMh43Tai3WMUf9PsjM=
 

Please confirm your kip will address it ?

Stéphane

On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" <jonathan.skrzy...@gs.com>
wrote:

> True, amended the KIP, thanks.
>
> Jonathan Skrzypek
> Middleware Engineering
> Messaging Engineering
> Goldman Sachs International
>
>
> -Original Message-
> From: Tom Bentley [mailto:t.j.bent...@gmail.com]
> Sent: 05 December 2017 18:19
> To: dev@kafka.apache.org
> Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections
>
> Hi Jonathan,
>
> It might be worth mentioning in the KIP that this is necessary only 
> for
> *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it 
> makes sensem, but I was confused up until that point.
>
> Cheers,
>
> Tom
>
> On 5 December 2017 at 17:53, Skrzypek, Jonathan 
> <jonathan.skrzy...@gs.com>
> wrote:
>
> > Hi,
> >
> > I would like to discuss a KIP I've submitted :
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.or
> > g_
> > confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb
> > 2I
> > E5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=GWK
> > XA
> > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc=fv5WAkOgLhVOmF4vhEzq_39CWnE
> > o0 q0AJbqhAuDFDT0=
> > 235%3A+Add+DNS+alias+support+for+secured+connection
> >
> > Feedback and suggestions welcome !
> >
> > Regards,
> > Jonathan Skrzypek
> > Middleware Engineering
> > Messaging Engineering
> > Goldman Sachs International
> > Christchurch Court - 10-15 Newgate Street London EC1A 7HD
> > Tel: +442070512977
> >
> >
>

RE: [DISCUSS]KIP-235 DNS alias and secured connections

[Skrzypek, Jonathan]

Hi,

Yes I believe this might address what you're seeing as well.

Jonathan Skrzypek 
Middleware Engineering
Messaging Engineering
Goldman Sachs International

-Original Message-
From: Stephane Maarek [mailto:steph...@simplemachines.com.au] 
Sent: 06 December 2017 10:43
To: dev@kafka.apache.org
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi Jonathan

I think this will be very useful. I reported something similar here :
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_KAFKA-2D4781=DwIFaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=3R1dVnw5Ttyz1YbVIMSRNMz2gjWsQmbTNXl63kwXvKo=MywacMwh18eVH_NvLY6Ffhc3CKMh43Tai3WMUf9PsjM=
 

Please confirm your kip will address it ?

Stéphane

On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" <jonathan.skrzy...@gs.com>
wrote:

> True, amended the KIP, thanks.
>
> Jonathan Skrzypek
> Middleware Engineering
> Messaging Engineering
> Goldman Sachs International
>
>
> -Original Message-
> From: Tom Bentley [mailto:t.j.bent...@gmail.com]
> Sent: 05 December 2017 18:19
> To: dev@kafka.apache.org
> Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections
>
> Hi Jonathan,
>
> It might be worth mentioning in the KIP that this is necessary only 
> for
> *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it 
> makes sensem, but I was confused up until that point.
>
> Cheers,
>
> Tom
>
> On 5 December 2017 at 17:53, Skrzypek, Jonathan 
> <jonathan.skrzy...@gs.com>
> wrote:
>
> > Hi,
> >
> > I would like to discuss a KIP I've submitted :
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.or
> > g_ 
> > confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb
> > 2I 
> > E5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=GWK
> > XA
> > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc=fv5WAkOgLhVOmF4vhEzq_39CWnE
> > o0 q0AJbqhAuDFDT0= 
> > 235%3A+Add+DNS+alias+support+for+secured+connection
> >
> > Feedback and suggestions welcome !
> >
> > Regards,
> > Jonathan Skrzypek
> > Middleware Engineering
> > Messaging Engineering
> > Goldman Sachs International
> > Christchurch Court - 10-15 Newgate Street London EC1A 7HD
> > Tel: +442070512977
> >
> >
>

RE: [DISCUSS]KIP-235 DNS alias and secured connections

[Skrzypek, Jonathan]

I agree that if there are hostnames in the list which don't correspond to any 
principal, then the connection will fail, but that's the way the SASL 
authentication with Kerberos works anyways, so we're not breaking anything here 
I think.
This is the current behaviour, if you put 3 FQDNs in bootstrap.servers today 
and one of them doesn't match, you will get AUTH_FAILED.

"Also I think you are suggesting that we update bootstrap servers to be the 
alias plus any other hostnames obtained from DNS lookup."
The suggested change doesn't "make" bootstrap servers the alias, it will 
resolve the alias to retrieve all underlying canonical host names, and will put 
all of them in the list of addresses returned by parseAndValidateAddresses() in 
ClientUtils.


Jonathan Skrzypek 
Middleware Engineering
Messaging Engineering
Goldman Sachs International

-Original Message-
From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] 
Sent: 06 December 2017 12:58
To: dev
Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections

Sorry, the example I used with public/private DNS is wrong. But there is the 
general issue of multiple DNS names where only one is added to the 
keytab/certificate, but all names are added to the bootstrap server list.

On Wed, Dec 6, 2017 at 12:06 PM, Rajini Sivaram <rajinisiva...@gmail.com>
wrote:

> Hi Jonathan,
>
> Thank you for the KIP.
>
> I think you are proposing that we always do this (i.e. no option to 
> turn it off). If you have a private and public DNS name, at the 
> moment, if SSL certs and keytabs contain the only public DNS name and 
> the bootstrap servers and advertised listeners are configured to use 
> that name, everything works fine. With the proposed changes in the 
> KIP, the client would add the private name as well to the bootstrap 
> servers. So if a connection is made to the private name, that would 
> result in an authentication exception.
>
> Also I think you are suggesting that we update bootstrap servers to be 
> the alias plus any other hostnames obtained from DNS lookup. This 
> means that connections using the alias would fail with authentication 
> exception. We do not retry in the case of authentication exceptions 
> (and it makes it hard to diagnose security issues if we start 
> expecting some authentication failures to be ok).
>
>
> On Wed, Dec 6, 2017 at 10:43 AM, Stephane Maarek < 
> steph...@simplemachines.com.au> wrote:
>
>> Hi Jonathan
>>
>> I think this will be very useful. I reported something similar here :
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.or
>> g_jira_browse_KAFKA-2D4781=DwIFaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rT
>> ZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=dZkDmlZ8
>> moKqpbKF8VNczw7mMEEp4T4erNSucDioFd0=C57W69bpQR4bqFBGTj3tXbJpYvACIY_
>> -5NUAq5LyrG8=
>>
>> Please confirm your kip will address it ?
>>
>> Stéphane
>>
>> On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" 
>> <jonathan.skrzy...@gs.com>
>> wrote:
>>
>> > True, amended the KIP, thanks.
>> >
>> > Jonathan Skrzypek
>> > Middleware Engineering
>> > Messaging Engineering
>> > Goldman Sachs International
>> >
>> >
>> > -Original Message-
>> > From: Tom Bentley [mailto:t.j.bent...@gmail.com]
>> > Sent: 05 December 2017 18:19
>> > To: dev@kafka.apache.org
>> > Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections
>> >
>> > Hi Jonathan,
>> >
>> > It might be worth mentioning in the KIP that this is necessary only 
>> > for
>> > *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA 
>> > it makes sensem, but I was confused up until that point.
>> >
>> > Cheers,
>> >
>> > Tom
>> >
>> > On 5 December 2017 at 17:53, Skrzypek, Jonathan <
>> jonathan.skrzy...@gs.com>
>> > wrote:
>> >
>> > > Hi,
>> > >
>> > > I would like to discuss a KIP I've submitted :
>> > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.a
>> pache.org_
>> > > confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1w
>> rFVgyagb2I
>> > > E5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo
>> -E=GWKXA
>> > > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc=fv5WAkOgLhVOmF4vhEz
>> q_39CWnEo0
>> > > q0AJbqhAuDFDT0= 
>> > > 235%3A+Add+DNS+alias+support+for+secured+connection
>> > >
>> > > Feedback and suggestions welcome !
>> > >
>> > > Regards,
>> > > Jonathan Skrzypek
>> > > Middleware Engineering
>> > > Messaging Engineering
>> > > Goldman Sachs International
>> > > Christchurch Court - 10-15 Newgate Street London EC1A 7HD
>> > > Tel: +442070512977 <+44%2020%207051%202977>
>> > >
>> > >
>> >
>>
>
>

RE: [DISCUSS]KIP-235 DNS alias and secured connections

[Skrzypek, Jonathan]

Yes, it would address it I think.

Jonathan Skrzypek 
Middleware Engineering
Messaging Engineering
Goldman Sachs International
Christchurch Court - 10-15 Newgate Street
London EC1A 7HD 
Tel: +442070512977


-Original Message-
From: Stephane Maarek [mailto:steph...@simplemachines.com.au] 
Sent: 06 December 2017 10:43
To: dev@kafka.apache.org
Subject: RE: [DISCUSS]KIP-235 DNS alias and secured connections

Hi Jonathan

I think this will be very useful. I reported something similar here :
https://urldefense.proofpoint.com/v2/url?u=https-3A__issues.apache.org_jira_browse_KAFKA-2D4781=DwIFaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=3R1dVnw5Ttyz1YbVIMSRNMz2gjWsQmbTNXl63kwXvKo=MywacMwh18eVH_NvLY6Ffhc3CKMh43Tai3WMUf9PsjM=
 

Please confirm your kip will address it ?

Stéphane

On 6 Dec. 2017 8:20 pm, "Skrzypek, Jonathan" <jonathan.skrzy...@gs.com>
wrote:

> True, amended the KIP, thanks.
>
> Jonathan Skrzypek
> Middleware Engineering
> Messaging Engineering
> Goldman Sachs International
>
>
> -Original Message-
> From: Tom Bentley [mailto:t.j.bent...@gmail.com]
> Sent: 05 December 2017 18:19
> To: dev@kafka.apache.org
> Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections
>
> Hi Jonathan,
>
> It might be worth mentioning in the KIP that this is necessary only 
> for
> *Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it 
> makes sensem, but I was confused up until that point.
>
> Cheers,
>
> Tom
>
> On 5 December 2017 at 17:53, Skrzypek, Jonathan 
> <jonathan.skrzy...@gs.com>
> wrote:
>
> > Hi,
> >
> > I would like to discuss a KIP I've submitted :
> > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.or
> > g_ 
> > confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb
> > 2I 
> > E5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=GWK
> > XA
> > ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc=fv5WAkOgLhVOmF4vhEzq_39CWnE
> > o0 q0AJbqhAuDFDT0= 
> > 235%3A+Add+DNS+alias+support+for+secured+connection
> >
> > Feedback and suggestions welcome !
> >
> > Regards,
> > Jonathan Skrzypek
> > Middleware Engineering
> > Messaging Engineering
> > Goldman Sachs International
> > Christchurch Court - 10-15 Newgate Street London EC1A 7HD
> > Tel: +442070512977
> >
> >
>

RE: [DISCUSS]KIP-235 DNS alias and secured connections

[Skrzypek, Jonathan]

True, amended the KIP, thanks.

Jonathan Skrzypek 
Middleware Engineering
Messaging Engineering
Goldman Sachs International


-Original Message-
From: Tom Bentley [mailto:t.j.bent...@gmail.com] 
Sent: 05 December 2017 18:19
To: dev@kafka.apache.org
Subject: Re: [DISCUSS]KIP-235 DNS alias and secured connections

Hi Jonathan,

It might be worth mentioning in the KIP that this is necessary only for
*Kerberos* on SASL, and not other SASL mechanisms. Reading the JIRA it makes 
sensem, but I was confused up until that point.

Cheers,

Tom

On 5 December 2017 at 17:53, Skrzypek, Jonathan <jonathan.skrzy...@gs.com>
wrote:

> Hi,
>
> I would like to discuss a KIP I've submitted :
> https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_
> confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2I
> E5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=GWKXA
> ILbqxFU2j7LtoOx9MZ00uy_jJcGWWIG92CyAuc=fv5WAkOgLhVOmF4vhEzq_39CWnEo0
> q0AJbqhAuDFDT0= 235%3A+Add+DNS+alias+support+for+secured+connection
>
> Feedback and suggestions welcome !
>
> Regards,
> Jonathan Skrzypek
> Middleware Engineering
> Messaging Engineering
> Goldman Sachs International
> Christchurch Court - 10-15 Newgate Street London EC1A 7HD
> Tel: +442070512977
>
>

[DISCUSS]KIP-235 DNS alias and secured connections

[Skrzypek, Jonathan]

Hi,

I would like to discuss a KIP I've submitted :
https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection

Feedback and suggestions welcome !

Regards,
Jonathan Skrzypek
Middleware Engineering
Messaging Engineering
Goldman Sachs International
Christchurch Court - 10-15 Newgate Street
London EC1A 7HD
Tel: +442070512977

Wiki permissions

[Skrzypek, Jonathan]

Hi,

Could I get the permissions to create pages on the Kafka confluence ?
I would like the submit a KIP.
My wiki id is Jonathan Skrzypek

Regards,

Jonathan Skrzypek
Middleware Engineering
Messaging Engineering
Goldman Sachs International
Christchurch Court - 10-15 Newgate Street
London EC1A 7HD
Tel: +442070512977