RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Hi, Could someone take a look at https://github.com/apache/kafka/pull/4485 and merge if ok ? Jonathan Skrzypek -Original Message- From: Skrzypek, Jonathan [Tech] Sent: 27 June 2018 17:52 To: dev Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection Hi, I've modified the PR last week following comments on unit tests, could it be reviewed ? https://github.com/apache/kafka/pull/4485 Jonathan Skrzypek -Original Message- From: Ismael Juma [mailto:ism...@juma.me.uk] Sent: 23 May 2018 01:29 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Thanks for the KIP. I think this is a good and low risk change. It would be good to ensure that it works well with KIP-302 if we think that makes sense too. In any case, +1 (binding). Ismael On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=uPuVydDxaxC8XfuCt8ZC6C93Gx50DlpAJaTqvC80Z_0=KJTm2ESwlBAOOKVyS_Cbt_9WdGyazwlxdWFCvkEvtd4= > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > > Your Personal Data: We may collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal data, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to: www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Hi, I've modified the PR last week following comments on unit tests, could it be reviewed ? https://github.com/apache/kafka/pull/4485 Jonathan Skrzypek -Original Message- From: Ismael Juma [mailto:ism...@juma.me.uk] Sent: 23 May 2018 01:29 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Thanks for the KIP. I think this is a good and low risk change. It would be good to ensure that it works well with KIP-302 if we think that makes sense too. In any case, +1 (binding). Ismael On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=uPuVydDxaxC8XfuCt8ZC6C93Gx50DlpAJaTqvC80Z_0=KJTm2ESwlBAOOKVyS_Cbt_9WdGyazwlxdWFCvkEvtd4= > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > > Your Personal Data: We may collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal data, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to: www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Hi, I have updated the PR to leverage an enum to drive client dns lookup behaviour. There are only 2 options for now, but this could be extended to support other behaviours (see attached from KIP-302 thread). 2 current options : resolve.canonical.bootstrap.servers.only : perform canonical name resolution on items of bootstrap.servers disabled : current default behaviour, no lookup - this is the default value As usual naming things is hard so happy to take suggestions. https://github.com/apache/kafka/pull/4485 Jonathan Skrzypek -Original Message- From: Ismael Juma [mailto:ism...@juma.me.uk] Sent: 23 May 2018 01:29 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Thanks for the KIP. I think this is a good and low risk change. It would be good to ensure that it works well with KIP-302 if we think that makes sense too. In any case, +1 (binding). Ismael On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=uPuVydDxaxC8XfuCt8ZC6C93Gx50DlpAJaTqvC80Z_0=KJTm2ESwlBAOOKVyS_Cbt_9WdGyazwlxdWFCvkEvtd4= > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > > Your Personal Data: We may collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal data, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to: www.gs.com/privacy-notices<http://www.gs.com/privacy-notices> --- Begin Message --- Hi, As Rajini suggested in the thread for KIP 235 (attached), we could try to have an enum that would drive what does the client expands/resolves. I suggest a client config called client.dns.lookup with different values possible : - no : no dns lookup - hostnames.only : perform dns lookup on both bootstrap.servers and advertised listeners - canonical.hostnames.only : perform dns lookup on both bootstrap.servers and advertised listeners - bootstrap.hostnames.only : perform dns lookup on bootstrap.servers list and expand it - bootstrap.canonical.hostnames.only : perform dns lookup on bootstrap.servers list and expand it - advertised.listeners.hostnames.only : perform dns lookup on advertised listeners - advertised.listeners.canonical.hostnames.only : perform dns lookup on advertised listeners I realize this is a bit heavy but this gives users the ability to pick and choose. I didn't include a setting to mix hostnames and canonical hostnames as I'm not sure there would be a valid use case. Alternatively, to have less possible values, we could have 2 parameters : - dns.lookup.type with values : hostname / canonical.host.name - dns.lookup.behaviour : bootstrap.servers, advertised.listeners, both Thoughts ? Jonathan Skrzypek -Original Message- From: Edoardo Comar [mailto:edoco...@gmail.com] Sent: 17 May 2018 23:50 To: dev@kafka.apache.org Subject: Re: [DISCUSS] KIP-302 - Enable Kafka clients to use all DNS resolved IP addresses Hi Jonathan, > A solution might be to expose to users the choice of using hostname or > canonical host name on both sides. > Say having one setting that collapses functionalities from both KIPs > (bootstrap expansion + advertised lookup) > and an additional parameter that defines how the resolution is performed, > using getCanonicalHostName() or not. thanks sounds to me *less* simple than independent config options, sorry. I would like to say once again that by itself KIP-302 only speeds up the client behavior that can happen anyway when the client restarts multiple times, as every time there is no guarantee that - in presence of multiple A DNS records - the same IP is returned. Attempting to use additiona IPs if the first fail just makes client recovery faster. cheers Edo On 17 May 2018 at 12:12, Skrzypek, Jonathan wrote: > Yes, makes sense. > You mentioned multiple times you see no overlap and no issue with your KIP, > and that they solve different use cases. > > Appreciate you have an existing use case that would work, but we need to make > sure this isn't confusing to users and that any combination will always work, > across security protocols. > > A solution might be to expose to users the choice of using hostname or > canonical host name on both sides. > Say having one setting that collapses functionalities from both KIPs > (bootstrap expan
Re: [VOTE] KIP-235 Add DNS alias support for secured connection
Thanks for the KIP. I think this is a good and low risk change. It would be good to ensure that it works well with KIP-302 if we think that makes sense too. In any case, +1 (binding). Ismael On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > >
Re: FW: [VOTE] KIP-235 Add DNS alias support for secured connection
Hi Jonathan, I think it would make sense to convert the config in this KIP into an enum so that we can add more variations later on. But since KIP-302 is still under discussion, it is not clear what the config name should be. Since today is the KIP deadline and the implementation itself is straightforward, it would make sense to progress with this one for 2.0.0 if we can get one more binding vote. Ismael, do you have time to take a look at KIP-235 today? Thanks, Rajini On Tue, May 22, 2018 at 3:45 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hello Rajini, > > What do you think should be the next step here ? > > > Jonathan Skrzypek > > -Original Message- > From: Skrzypek, Jonathan [Tech] > Sent: 21 May 2018 10:51 > To: 'dev' > Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection > > Hi, > > What would be the next step here ? > I know there's a discussion going on around KIP-302, but I'm also > conscious that the 2.0.0 deadline for KIPs is tomorrow. > I've opened this KIP in January and discussions have been productive with > an end solution I had the impression was reasonable, so I am keen to see it > make it the next release. > > > Jonathan Skrzypek > > -Original Message- > From: Skrzypek, Jonathan [Tech] > Sent: 14 May 2018 13:48 > To: dev > Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection > > Sure, I modified the KIP to add more details > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A > +Add+DNS+alias+support+for+secured+connection > > > Jonathan Skrzypek > > > -----Original Message----- > From: Ismael Juma [mailto:ism...@juma.me.uk] > Sent: 14 May 2018 11:53 > To: dev > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection > > Thanks for the KIP, Jonathan. It would be helpful to have more detail on > how SSL authentication could be broken if the new behaviour is the default. > I know this was discussed in the mailing list thread, but it's important to > include it in the KIP since it's the main reason why a new config is needed > (and configs should be avoided whenever we can just do the right thing). > > Ismael > > On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan < > jonathan.skrzy...@gs.com> wrote: > > > Hi, > > > > I would like to start a vote for KIP-235 > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.a > pache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDN > S-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ= > 7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAP > dxGlafmDu9_r6eaCbPOM0NM1EHo-E=FM_uCHnnO2dqxWC0bi7_QOJKfKmQ > I80-Xduvb-URWOw=RpGkijfK-WHcU0s8ZtMXEkIr69QraJhYKaGSC9V_rnI= > > > > This is a proposition to add an option for reverse dns lookup of > > bootstrap.servers hosts, allowing the use of dns aliases on clusters > using > > SASL authentication. > > > > > > > > > > > > Your Personal Data: We may collect and process information about you that > may be subject to data protection laws. For more information about how we > use and disclose your personal data, how we protect your information, our > legal basis to use your information, your rights and who you can contact, > please refer to: www.gs.com/privacy-notices p://www.gs.com/privacy-notices> >
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Hi, What would be the next step here ? I know there's a discussion going on around KIP-302, but I'm also conscious that the 2.0.0 deadline for KIPs is tomorrow. I've opened this KIP in January and discussions have been productive with an end solution I had the impression was reasonable, so I am keen to see it make it the next release. Jonathan Skrzypek -Original Message- From: Skrzypek, Jonathan [Tech] Sent: 14 May 2018 13:48 To: dev Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection Sure, I modified the KIP to add more details https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection Jonathan Skrzypek -Original Message- From: Ismael Juma [mailto:ism...@juma.me.uk] Sent: 14 May 2018 11:53 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Thanks for the KIP, Jonathan. It would be helpful to have more detail on how SSL authentication could be broken if the new behaviour is the default. I know this was discussed in the mailing list thread, but it's important to include it in the KIP since it's the main reason why a new config is needed (and configs should be avoided whenever we can just do the right thing). Ismael On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=FM_uCHnnO2dqxWC0bi7_QOJKfKmQI80-Xduvb-URWOw=RpGkijfK-WHcU0s8ZtMXEkIr69QraJhYKaGSC9V_rnI= > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > > Your Personal Data: We may collect and process information about you that may be subject to data protection laws. For more information about how we use and disclose your personal data, how we protect your information, our legal basis to use your information, your rights and who you can contact, please refer to: www.gs.com/privacy-notices<http://www.gs.com/privacy-notices>
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Sure, I modified the KIP to add more details https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection Jonathan Skrzypek -Original Message- From: Ismael Juma [mailto:ism...@juma.me.uk] Sent: 14 May 2018 11:53 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Thanks for the KIP, Jonathan. It would be helpful to have more detail on how SSL authentication could be broken if the new behaviour is the default. I know this was discussed in the mailing list thread, but it's important to include it in the KIP since it's the main reason why a new config is needed (and configs should be avoided whenever we can just do the right thing). Ismael On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D235-253A-2BAdd-2BDNS-2Balias-2Bsupport-2Bfor-2Bsecured-2Bconnection=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=FM_uCHnnO2dqxWC0bi7_QOJKfKmQI80-Xduvb-URWOw=RpGkijfK-WHcU0s8ZtMXEkIr69QraJhYKaGSC9V_rnI= > > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > >
Re: [VOTE] KIP-235 Add DNS alias support for secured connection
Thanks for the KIP, Jonathan. It would be helpful to have more detail on how SSL authentication could be broken if the new behaviour is the default. I know this was discussed in the mailing list thread, but it's important to include it in the KIP since it's the main reason why a new config is needed (and configs should be avoided whenever we can just do the right thing). Ismael On Fri, Mar 23, 2018 at 12:05 PM Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > >
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Up :) Anyone for a binding vote here ? Jonathan Skrzypek -Original Message- From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] Sent: 10 May 2018 13:17 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Thanks Jonathan. You have binding votes from me and Gwen. One more binding vote is required for this KIP to be approved. On Thu, May 10, 2018 at 1:14 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > Have implemented the changes discussed. > bootstrap.reverse.dns.lookup is disabled by default. > When enabled, the client will perform reverse dns lookup regardless of the > security protocol used. > > https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_apache_kafka_pull_4485=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=X8udiS6RLS6dhJElpufCtnaJoeGWVp7TAjcW1o7HYRI=x8aeZlBx-fTv7gYq8qnfX1I3_rQC8-1b4lBUn36b2nU= > > > > Jonathan Skrzypek > > > -Original Message- > From: Skrzypek, Jonathan [Tech] > Sent: 01 May 2018 17:17 > To: dev > Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection > > Oops, yes indeed that makes sense, got confused between SASL_SSL and SSL. > > Updated the KIP. > > > > Jonathan Skrzypek > > > -Original Message- > From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] > Sent: 01 May 2018 11:08 > To: dev > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection > > Jonathan, > > Not doing the reverse lookup for SASL_SSL limits the usability of this KIP > since it can no longer be used in a secure environment where Kerberos is > used with TLS. Perhaps the best option is to do the lookup if the option is > explicitly enabled regardless of what the security protocol is. If there is > a SSL handshake failure with this option enabled, the error message can be > updated to indicate that it could be because a reverse lookup was used. Can > you state in the KIP that the default value of > bootstrap.reverse.dns.lookup will > be false and hence there is no backwards compatibility issue. > > On Mon, Apr 30, 2018 at 1:41 PM, Skrzypek, Jonathan < > jonathan.skrzy...@gs.com> wrote: > > > Thanks for your comments. > > Have updated the KIP. > > > > I agree SSL and SASL_SSL will face similar issues and should behave the > > same. > > Thinking about this further, I'm wondering whether setting > > bootstrap.reverse.dns.lookup to true whilst using any of those protocols > > should throw a critical error and stop, or at least log a warning stating > > that the lookup won't be performed. > > This sounds better than silently ignoring and leave users with the > > impression they can use SSL and bootstrap server aliases. > > Abruptly stopping the client sounds a bit extreme so I'm leaning towards > a > > warning. > > > > Thoughts ? > > > > I'm not sure about checking whether the list has IP addresses. > > There could be cases where the list has a mix of FQDNs and IPs, so I > would > > rather perform the lookup regardless of the case when the parameter is > > enabled. > > > > On the security aspects, I am by no means a security or SASL expert so > > commented the KIP with what I believe to be the case. > > > > Jonathan Skrzypek > > > > -Original Message- > > From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] > > Sent: 29 April 2018 15:38 > > To: dev > > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection > > > > Hi Jonathan, > > > > Thanks for the KIP. > > > > +1 (binding) with a couple comments below to add more detail to the KIP. > > > >1. Make it clearer when the new option `bootstrap.reverse.dns.lookup` > >should or shouldn't be used. Document security considerations as well > as > >other system configurations that may have an impact. > >2. The PR currently disables the new code path for security protocol > >SSL. But this doesn't address SASL_SSL which could also do hostname > >verification. Do we even want to do reverse lookup if bootstrap list > >contains IP addresses? If we do, we should handle SSL and SASL_SSL in > > the > >same way (which basically means handling all protocols in the same > way). > > > > > > On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek < > > steph...@simplemachines.com.au> wrote: > > > > > +1 as a user > > > BUT > > > > > > I am no security expert. I have experienced that issue while setting > up a > > > cluster and whil
Re: [VOTE] KIP-235 Add DNS alias support for secured connection
Thanks Jonathan. You have binding votes from me and Gwen. One more binding vote is required for this KIP to be approved. On Thu, May 10, 2018 at 1:14 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > Have implemented the changes discussed. > bootstrap.reverse.dns.lookup is disabled by default. > When enabled, the client will perform reverse dns lookup regardless of the > security protocol used. > > https://github.com/apache/kafka/pull/4485 > > > Jonathan Skrzypek > > > -Original Message- > From: Skrzypek, Jonathan [Tech] > Sent: 01 May 2018 17:17 > To: dev > Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection > > Oops, yes indeed that makes sense, got confused between SASL_SSL and SSL. > > Updated the KIP. > > > > Jonathan Skrzypek > > > -Original Message- > From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] > Sent: 01 May 2018 11:08 > To: dev > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection > > Jonathan, > > Not doing the reverse lookup for SASL_SSL limits the usability of this KIP > since it can no longer be used in a secure environment where Kerberos is > used with TLS. Perhaps the best option is to do the lookup if the option is > explicitly enabled regardless of what the security protocol is. If there is > a SSL handshake failure with this option enabled, the error message can be > updated to indicate that it could be because a reverse lookup was used. Can > you state in the KIP that the default value of > bootstrap.reverse.dns.lookup will > be false and hence there is no backwards compatibility issue. > > On Mon, Apr 30, 2018 at 1:41 PM, Skrzypek, Jonathan < > jonathan.skrzy...@gs.com> wrote: > > > Thanks for your comments. > > Have updated the KIP. > > > > I agree SSL and SASL_SSL will face similar issues and should behave the > > same. > > Thinking about this further, I'm wondering whether setting > > bootstrap.reverse.dns.lookup to true whilst using any of those protocols > > should throw a critical error and stop, or at least log a warning stating > > that the lookup won't be performed. > > This sounds better than silently ignoring and leave users with the > > impression they can use SSL and bootstrap server aliases. > > Abruptly stopping the client sounds a bit extreme so I'm leaning towards > a > > warning. > > > > Thoughts ? > > > > I'm not sure about checking whether the list has IP addresses. > > There could be cases where the list has a mix of FQDNs and IPs, so I > would > > rather perform the lookup regardless of the case when the parameter is > > enabled. > > > > On the security aspects, I am by no means a security or SASL expert so > > commented the KIP with what I believe to be the case. > > > > Jonathan Skrzypek > > > > -Original Message- > > From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] > > Sent: 29 April 2018 15:38 > > To: dev > > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection > > > > Hi Jonathan, > > > > Thanks for the KIP. > > > > +1 (binding) with a couple comments below to add more detail to the KIP. > > > >1. Make it clearer when the new option `bootstrap.reverse.dns.lookup` > >should or shouldn't be used. Document security considerations as well > as > >other system configurations that may have an impact. > >2. The PR currently disables the new code path for security protocol > >SSL. But this doesn't address SASL_SSL which could also do hostname > >verification. Do we even want to do reverse lookup if bootstrap list > >contains IP addresses? If we do, we should handle SSL and SASL_SSL in > > the > >same way (which basically means handling all protocols in the same > way). > > > > > > On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek < > > steph...@simplemachines.com.au> wrote: > > > > > +1 as a user > > > BUT > > > > > > I am no security expert. I have experienced that issue while setting > up a > > > cluster and while I would have liked a feature like that (I opened a > JIRA > > > at the time), I always guessed that the reason was because of some > > security > > > protection. > > > > > > Now from a setup point of view this helps a ton, but I really want to > > make > > > sure this doesn't introduce any security risk by relaxing a constraint. > > > > > > Is there a security assessment possible by someone accredited
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Hi, Have implemented the changes discussed. bootstrap.reverse.dns.lookup is disabled by default. When enabled, the client will perform reverse dns lookup regardless of the security protocol used. https://github.com/apache/kafka/pull/4485 Jonathan Skrzypek -Original Message- From: Skrzypek, Jonathan [Tech] Sent: 01 May 2018 17:17 To: dev Subject: RE: [VOTE] KIP-235 Add DNS alias support for secured connection Oops, yes indeed that makes sense, got confused between SASL_SSL and SSL. Updated the KIP. Jonathan Skrzypek -Original Message- From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] Sent: 01 May 2018 11:08 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Jonathan, Not doing the reverse lookup for SASL_SSL limits the usability of this KIP since it can no longer be used in a secure environment where Kerberos is used with TLS. Perhaps the best option is to do the lookup if the option is explicitly enabled regardless of what the security protocol is. If there is a SSL handshake failure with this option enabled, the error message can be updated to indicate that it could be because a reverse lookup was used. Can you state in the KIP that the default value of bootstrap.reverse.dns.lookup will be false and hence there is no backwards compatibility issue. On Mon, Apr 30, 2018 at 1:41 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Thanks for your comments. > Have updated the KIP. > > I agree SSL and SASL_SSL will face similar issues and should behave the > same. > Thinking about this further, I'm wondering whether setting > bootstrap.reverse.dns.lookup to true whilst using any of those protocols > should throw a critical error and stop, or at least log a warning stating > that the lookup won't be performed. > This sounds better than silently ignoring and leave users with the > impression they can use SSL and bootstrap server aliases. > Abruptly stopping the client sounds a bit extreme so I'm leaning towards a > warning. > > Thoughts ? > > I'm not sure about checking whether the list has IP addresses. > There could be cases where the list has a mix of FQDNs and IPs, so I would > rather perform the lookup regardless of the case when the parameter is > enabled. > > On the security aspects, I am by no means a security or SASL expert so > commented the KIP with what I believe to be the case. > > Jonathan Skrzypek > > -Original Message- > From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] > Sent: 29 April 2018 15:38 > To: dev > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection > > Hi Jonathan, > > Thanks for the KIP. > > +1 (binding) with a couple comments below to add more detail to the KIP. > >1. Make it clearer when the new option `bootstrap.reverse.dns.lookup` >should or shouldn't be used. Document security considerations as well as >other system configurations that may have an impact. >2. The PR currently disables the new code path for security protocol >SSL. But this doesn't address SASL_SSL which could also do hostname >verification. Do we even want to do reverse lookup if bootstrap list >contains IP addresses? If we do, we should handle SSL and SASL_SSL in > the >same way (which basically means handling all protocols in the same way). > > > On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek < > steph...@simplemachines.com.au> wrote: > > > +1 as a user > > BUT > > > > I am no security expert. I have experienced that issue while setting up a > > cluster and while I would have liked a feature like that (I opened a JIRA > > at the time), I always guessed that the reason was because of some > security > > protection. > > > > Now from a setup point of view this helps a ton, but I really want to > make > > sure this doesn't introduce any security risk by relaxing a constraint. > > > > Is there a security assessment possible by someone accredited ? > > > > Sorry for raising these questions just want to make sure it's addressed > > > > On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote: > > > > > +1 (binding) > > > > > > This KIP is quite vital to running secured clusters in cloud/container > > > environment. Would love to see more support from the community to this > > (or > > > feedback...) > > > > > > Gwen > > > > > > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan < > > > jonathan.skrzy...@gs.com> wrote: > > > > > > > Hi, > > > > > > > > Could anyone take a look ? > > > > Does the proposal sound reasonable
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Oops, yes indeed that makes sense, got confused between SASL_SSL and SSL. Updated the KIP. Jonathan Skrzypek -Original Message- From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] Sent: 01 May 2018 11:08 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Jonathan, Not doing the reverse lookup for SASL_SSL limits the usability of this KIP since it can no longer be used in a secure environment where Kerberos is used with TLS. Perhaps the best option is to do the lookup if the option is explicitly enabled regardless of what the security protocol is. If there is a SSL handshake failure with this option enabled, the error message can be updated to indicate that it could be because a reverse lookup was used. Can you state in the KIP that the default value of bootstrap.reverse.dns.lookup will be false and hence there is no backwards compatibility issue. On Mon, Apr 30, 2018 at 1:41 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Thanks for your comments. > Have updated the KIP. > > I agree SSL and SASL_SSL will face similar issues and should behave the > same. > Thinking about this further, I'm wondering whether setting > bootstrap.reverse.dns.lookup to true whilst using any of those protocols > should throw a critical error and stop, or at least log a warning stating > that the lookup won't be performed. > This sounds better than silently ignoring and leave users with the > impression they can use SSL and bootstrap server aliases. > Abruptly stopping the client sounds a bit extreme so I'm leaning towards a > warning. > > Thoughts ? > > I'm not sure about checking whether the list has IP addresses. > There could be cases where the list has a mix of FQDNs and IPs, so I would > rather perform the lookup regardless of the case when the parameter is > enabled. > > On the security aspects, I am by no means a security or SASL expert so > commented the KIP with what I believe to be the case. > > Jonathan Skrzypek > > -Original Message- > From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] > Sent: 29 April 2018 15:38 > To: dev > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection > > Hi Jonathan, > > Thanks for the KIP. > > +1 (binding) with a couple comments below to add more detail to the KIP. > >1. Make it clearer when the new option `bootstrap.reverse.dns.lookup` >should or shouldn't be used. Document security considerations as well as >other system configurations that may have an impact. >2. The PR currently disables the new code path for security protocol >SSL. But this doesn't address SASL_SSL which could also do hostname >verification. Do we even want to do reverse lookup if bootstrap list >contains IP addresses? If we do, we should handle SSL and SASL_SSL in > the >same way (which basically means handling all protocols in the same way). > > > On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek < > steph...@simplemachines.com.au> wrote: > > > +1 as a user > > BUT > > > > I am no security expert. I have experienced that issue while setting up a > > cluster and while I would have liked a feature like that (I opened a JIRA > > at the time), I always guessed that the reason was because of some > security > > protection. > > > > Now from a setup point of view this helps a ton, but I really want to > make > > sure this doesn't introduce any security risk by relaxing a constraint. > > > > Is there a security assessment possible by someone accredited ? > > > > Sorry for raising these questions just want to make sure it's addressed > > > > On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote: > > > > > +1 (binding) > > > > > > This KIP is quite vital to running secured clusters in cloud/container > > > environment. Would love to see more support from the community to this > > (or > > > feedback...) > > > > > > Gwen > > > > > > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan < > > > jonathan.skrzy...@gs.com> wrote: > > > > > > > Hi, > > > > > > > > Could anyone take a look ? > > > > Does the proposal sound reasonable ? > > > > > > > > Jonathan Skrzypek > > > > > > > > > > > > From: Skrzypek, Jonathan [Tech] > > > > Sent: 23 March 2018 19:05 > > > > To: dev@kafka.apache.org > > > > Subject: [VOTE] KIP-235 Add DNS alias support for secured connection > > > > > > > > Hi, > > > > > > > > I would like
Re: [VOTE] KIP-235 Add DNS alias support for secured connection
Jonathan, Not doing the reverse lookup for SASL_SSL limits the usability of this KIP since it can no longer be used in a secure environment where Kerberos is used with TLS. Perhaps the best option is to do the lookup if the option is explicitly enabled regardless of what the security protocol is. If there is a SSL handshake failure with this option enabled, the error message can be updated to indicate that it could be because a reverse lookup was used. Can you state in the KIP that the default value of bootstrap.reverse.dns.lookup will be false and hence there is no backwards compatibility issue. On Mon, Apr 30, 2018 at 1:41 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Thanks for your comments. > Have updated the KIP. > > I agree SSL and SASL_SSL will face similar issues and should behave the > same. > Thinking about this further, I'm wondering whether setting > bootstrap.reverse.dns.lookup to true whilst using any of those protocols > should throw a critical error and stop, or at least log a warning stating > that the lookup won't be performed. > This sounds better than silently ignoring and leave users with the > impression they can use SSL and bootstrap server aliases. > Abruptly stopping the client sounds a bit extreme so I'm leaning towards a > warning. > > Thoughts ? > > I'm not sure about checking whether the list has IP addresses. > There could be cases where the list has a mix of FQDNs and IPs, so I would > rather perform the lookup regardless of the case when the parameter is > enabled. > > On the security aspects, I am by no means a security or SASL expert so > commented the KIP with what I believe to be the case. > > Jonathan Skrzypek > > -Original Message- > From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] > Sent: 29 April 2018 15:38 > To: dev > Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection > > Hi Jonathan, > > Thanks for the KIP. > > +1 (binding) with a couple comments below to add more detail to the KIP. > >1. Make it clearer when the new option `bootstrap.reverse.dns.lookup` >should or shouldn't be used. Document security considerations as well as >other system configurations that may have an impact. >2. The PR currently disables the new code path for security protocol >SSL. But this doesn't address SASL_SSL which could also do hostname >verification. Do we even want to do reverse lookup if bootstrap list >contains IP addresses? If we do, we should handle SSL and SASL_SSL in > the >same way (which basically means handling all protocols in the same way). > > > On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek < > steph...@simplemachines.com.au> wrote: > > > +1 as a user > > BUT > > > > I am no security expert. I have experienced that issue while setting up a > > cluster and while I would have liked a feature like that (I opened a JIRA > > at the time), I always guessed that the reason was because of some > security > > protection. > > > > Now from a setup point of view this helps a ton, but I really want to > make > > sure this doesn't introduce any security risk by relaxing a constraint. > > > > Is there a security assessment possible by someone accredited ? > > > > Sorry for raising these questions just want to make sure it's addressed > > > > On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote: > > > > > +1 (binding) > > > > > > This KIP is quite vital to running secured clusters in cloud/container > > > environment. Would love to see more support from the community to this > > (or > > > feedback...) > > > > > > Gwen > > > > > > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan < > > > jonathan.skrzy...@gs.com> wrote: > > > > > > > Hi, > > > > > > > > Could anyone take a look ? > > > > Does the proposal sound reasonable ? > > > > > > > > Jonathan Skrzypek > > > > > > > > > > > > From: Skrzypek, Jonathan [Tech] > > > > Sent: 23 March 2018 19:05 > > > > To: dev@kafka.apache.org > > > > Subject: [VOTE] KIP-235 Add DNS alias support for secured connection > > > > > > > > Hi, > > > > > > > > I would like to start a vote for KIP-235 > > > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki. > apache.org_confluence_display_KAFKA_KIP-2D=DwIBaQ= > 7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_ > r6eaCbPOM0NM1EHo-E=2JuW6J_xPCRzueIj
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Thanks for your comments. Have updated the KIP. I agree SSL and SASL_SSL will face similar issues and should behave the same. Thinking about this further, I'm wondering whether setting bootstrap.reverse.dns.lookup to true whilst using any of those protocols should throw a critical error and stop, or at least log a warning stating that the lookup won't be performed. This sounds better than silently ignoring and leave users with the impression they can use SSL and bootstrap server aliases. Abruptly stopping the client sounds a bit extreme so I'm leaning towards a warning. Thoughts ? I'm not sure about checking whether the list has IP addresses. There could be cases where the list has a mix of FQDNs and IPs, so I would rather perform the lookup regardless of the case when the parameter is enabled. On the security aspects, I am by no means a security or SASL expert so commented the KIP with what I believe to be the case. Jonathan Skrzypek -Original Message- From: Rajini Sivaram [mailto:rajinisiva...@gmail.com] Sent: 29 April 2018 15:38 To: dev Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Hi Jonathan, Thanks for the KIP. +1 (binding) with a couple comments below to add more detail to the KIP. 1. Make it clearer when the new option `bootstrap.reverse.dns.lookup` should or shouldn't be used. Document security considerations as well as other system configurations that may have an impact. 2. The PR currently disables the new code path for security protocol SSL. But this doesn't address SASL_SSL which could also do hostname verification. Do we even want to do reverse lookup if bootstrap list contains IP addresses? If we do, we should handle SSL and SASL_SSL in the same way (which basically means handling all protocols in the same way). On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek < steph...@simplemachines.com.au> wrote: > +1 as a user > BUT > > I am no security expert. I have experienced that issue while setting up a > cluster and while I would have liked a feature like that (I opened a JIRA > at the time), I always guessed that the reason was because of some security > protection. > > Now from a setup point of view this helps a ton, but I really want to make > sure this doesn't introduce any security risk by relaxing a constraint. > > Is there a security assessment possible by someone accredited ? > > Sorry for raising these questions just want to make sure it's addressed > > On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote: > > > +1 (binding) > > > > This KIP is quite vital to running secured clusters in cloud/container > > environment. Would love to see more support from the community to this > (or > > feedback...) > > > > Gwen > > > > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan < > > jonathan.skrzy...@gs.com> wrote: > > > > > Hi, > > > > > > Could anyone take a look ? > > > Does the proposal sound reasonable ? > > > > > > Jonathan Skrzypek > > > > > > > > > From: Skrzypek, Jonathan [Tech] > > > Sent: 23 March 2018 19:05 > > > To: dev@kafka.apache.org > > > Subject: [VOTE] KIP-235 Add DNS alias support for secured connection > > > > > > Hi, > > > > > > I would like to start a vote for KIP-235 > > > > > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=2JuW6J_xPCRzueIjC4B6j1v6T9aXMR5k9Nh8oMBVLd0=SJsuC6ROGH5VTVxQktBbB7xKK4zFDVRkQSUtZbLMfZ4= > > > > > > 235%3A+Add+DNS+alias+support+for+secured+connection > > > > > > This is a proposition to add an option for reverse dns lookup of > > > bootstrap.servers hosts, allowing the use of dns aliases on clusters > > using > > > SASL authentication. > > > > > > > > > > > > > > > > > > -- > > *Gwen Shapira* > > Product Manager | Confluent > > 650.450.2760 | @gwenshap > > Follow us: Twitter > > <https://urldefense.proofpoint.com/v2/url?u=https-3A__twitter.com_ConfluentInc=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=2JuW6J_xPCRzueIjC4B6j1v6T9aXMR5k9Nh8oMBVLd0=hWdKCJsOe7LyDCcoJqmjOkgepGk7762xXxOZgQwHAm0= > > > | blog > > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.confluent.io_blog=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=2JuW6J_xPCRzueIjC4B6j1v6T9aXMR5k9Nh8oMBVLd0=Y_WMfuQJKoXlE3I25NKs8d4TefgB8OlvO8lDGAhEr7Q= > > > > > >
Re: [VOTE] KIP-235 Add DNS alias support for secured connection
Hi Jonathan, Thanks for the KIP. +1 (binding) with a couple comments below to add more detail to the KIP. 1. Make it clearer when the new option `bootstrap.reverse.dns.lookup` should or shouldn't be used. Document security considerations as well as other system configurations that may have an impact. 2. The PR currently disables the new code path for security protocol SSL. But this doesn't address SASL_SSL which could also do hostname verification. Do we even want to do reverse lookup if bootstrap list contains IP addresses? If we do, we should handle SSL and SASL_SSL in the same way (which basically means handling all protocols in the same way). On Thu, Apr 26, 2018 at 2:16 PM, Stephane Maarek < steph...@simplemachines.com.au> wrote: > +1 as a user > BUT > > I am no security expert. I have experienced that issue while setting up a > cluster and while I would have liked a feature like that (I opened a JIRA > at the time), I always guessed that the reason was because of some security > protection. > > Now from a setup point of view this helps a ton, but I really want to make > sure this doesn't introduce any security risk by relaxing a constraint. > > Is there a security assessment possible by someone accredited ? > > Sorry for raising these questions just want to make sure it's addressed > > On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote: > > > +1 (binding) > > > > This KIP is quite vital to running secured clusters in cloud/container > > environment. Would love to see more support from the community to this > (or > > feedback...) > > > > Gwen > > > > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan < > > jonathan.skrzy...@gs.com> wrote: > > > > > Hi, > > > > > > Could anyone take a look ? > > > Does the proposal sound reasonable ? > > > > > > Jonathan Skrzypek > > > > > > > > > From: Skrzypek, Jonathan [Tech] > > > Sent: 23 March 2018 19:05 > > > To: dev@kafka.apache.org > > > Subject: [VOTE] KIP-235 Add DNS alias support for secured connection > > > > > > Hi, > > > > > > I would like to start a vote for KIP-235 > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > > > 235%3A+Add+DNS+alias+support+for+secured+connection > > > > > > This is a proposition to add an option for reverse dns lookup of > > > bootstrap.servers hosts, allowing the use of dns aliases on clusters > > using > > > SASL authentication. > > > > > > > > > > > > > > > > > > -- > > *Gwen Shapira* > > Product Manager | Confluent > > 650.450.2760 | @gwenshap > > Follow us: Twitter <https://twitter.com/ConfluentInc> | blog > > <http://www.confluent.io/blog> > > >
Re: [VOTE] KIP-235 Add DNS alias support for secured connection
+1 as a user BUT I am no security expert. I have experienced that issue while setting up a cluster and while I would have liked a feature like that (I opened a JIRA at the time), I always guessed that the reason was because of some security protection. Now from a setup point of view this helps a ton, but I really want to make sure this doesn't introduce any security risk by relaxing a constraint. Is there a security assessment possible by someone accredited ? Sorry for raising these questions just want to make sure it's addressed On Thu., 26 Apr. 2018, 5:32 pm Gwen Shapira, <g...@confluent.io> wrote: > +1 (binding) > > This KIP is quite vital to running secured clusters in cloud/container > environment. Would love to see more support from the community to this (or > feedback...) > > Gwen > > On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan < > jonathan.skrzy...@gs.com> wrote: > > > Hi, > > > > Could anyone take a look ? > > Does the proposal sound reasonable ? > > > > Jonathan Skrzypek > > > > > > From: Skrzypek, Jonathan [Tech] > > Sent: 23 March 2018 19:05 > > To: dev@kafka.apache.org > > Subject: [VOTE] KIP-235 Add DNS alias support for secured connection > > > > Hi, > > > > I would like to start a vote for KIP-235 > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > > 235%3A+Add+DNS+alias+support+for+secured+connection > > > > This is a proposition to add an option for reverse dns lookup of > > bootstrap.servers hosts, allowing the use of dns aliases on clusters > using > > SASL authentication. > > > > > > > > > > > -- > *Gwen Shapira* > Product Manager | Confluent > 650.450.2760 | @gwenshap > Follow us: Twitter <https://twitter.com/ConfluentInc> | blog > <http://www.confluent.io/blog> >
Re: [VOTE] KIP-235 Add DNS alias support for secured connection
+1 (binding) This KIP is quite vital to running secured clusters in cloud/container environment. Would love to see more support from the community to this (or feedback...) Gwen On Mon, Apr 16, 2018 at 4:52 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > Could anyone take a look ? > Does the proposal sound reasonable ? > > Jonathan Skrzypek > > > From: Skrzypek, Jonathan [Tech] > Sent: 23 March 2018 19:05 > To: dev@kafka.apache.org > Subject: [VOTE] KIP-235 Add DNS alias support for secured connection > > Hi, > > I would like to start a vote for KIP-235 > > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > 235%3A+Add+DNS+alias+support+for+secured+connection > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > > -- *Gwen Shapira* Product Manager | Confluent 650.450.2760 | @gwenshap Follow us: Twitter <https://twitter.com/ConfluentInc> | blog <http://www.confluent.io/blog>
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
I have updated the KIP with more details, thanks. Jonathan Skrzypek -Original Message- From: Ted Yu [mailto:yuzhih...@gmail.com] Sent: 16 April 2018 16:02 To: dev@kafka.apache.org Subject: Re: [VOTE] KIP-235 Add DNS alias support for secured connection Looks good to me. BTW KAFKA-6195 contains more technical details than the KIP. See if you can enrich the Motivation section with some of the details. Thanks On Fri, Mar 23, 2018 at 12:05 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > https://urldefense.proofpoint.com/v2/url?u=https-3A__cwiki.apache.org_confluence_display_KAFKA_KIP-2D=DwIBaQ=7563p3e2zaQw0AB1wrFVgyagb2IE5rTZOYPxLxfZlX4=nNmJlu1rR_QFAPdxGlafmDu9_r6eaCbPOM0NM1EHo-E=z4z9og6UZJl3q8DYOzkpMV6iKc8Je2PFuG1jSKxWVcA=xDIuXjkyb0Tnz2Hwx8P5JzEK8B5NrFpF1U5uYs_rxck= > > 235%3A+Add+DNS+alias+support+for+secured+connection > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > >
Re: [VOTE] KIP-235 Add DNS alias support for secured connection
Looks good to me. BTW KAFKA-6195 contains more technical details than the KIP. See if you can enrich the Motivation section with some of the details. Thanks On Fri, Mar 23, 2018 at 12:05 PM, Skrzypek, Jonathan < jonathan.skrzy...@gs.com> wrote: > Hi, > > I would like to start a vote for KIP-235 > > https://cwiki.apache.org/confluence/display/KAFKA/KIP- > 235%3A+Add+DNS+alias+support+for+secured+connection > > This is a proposition to add an option for reverse dns lookup of > bootstrap.servers hosts, allowing the use of dns aliases on clusters using > SASL authentication. > > > >
RE: [VOTE] KIP-235 Add DNS alias support for secured connection
Hi, Could anyone take a look ? Does the proposal sound reasonable ? Jonathan Skrzypek From: Skrzypek, Jonathan [Tech] Sent: 23 March 2018 19:05 To: dev@kafka.apache.org Subject: [VOTE] KIP-235 Add DNS alias support for secured connection Hi, I would like to start a vote for KIP-235 https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection This is a proposition to add an option for reverse dns lookup of bootstrap.servers hosts, allowing the use of dns aliases on clusters using SASL authentication.
[VOTE] KIP-235 Add DNS alias support for secured connection
Hi, I would like to start a vote for KIP-235 https://cwiki.apache.org/confluence/display/KAFKA/KIP-235%3A+Add+DNS+alias+support+for+secured+connection This is a proposition to add an option for reverse dns lookup of bootstrap.servers hosts, allowing the use of dns aliases on clusters using SASL authentication.