[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-26 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14974372#comment-14974372
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~junrao] Pretty much all the services using kdc works like this. Although our 
socket connections are long-living, in reality they dont' stay connected 
forever. Removing someone from KDC is possible but that doesn't happen often. 
Even than it would be good practice to remove ACLs of that principal.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-25 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14973551#comment-14973551
 ] 

Jun Rao commented on KAFKA-1686:


[~sriharsha], you mentioned that if the Kerberos tickets can't be renewed, we 
will get a KafkaException when reading/writing through the SASL port. Could you 
explain a bit how this is done? To me, the Kerberos authentication only happens 
once when the socket is established. Once the authentication is done, the 
client communicates to the broker via a plaintext transport (assuming 
SASL_PLAINTEXT) and the SASL part is no longer involved. So, after the initial 
authentication, if the Kerberos tickets can't be renewed, how do we force a 
KafkaException on the SASL port? Do we need to somehow set the saslState in 
SaslClientAuthenticator to FAILED if relogin fails?

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-25 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14973566#comment-14973566
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~junrao] once the connection is established we don't do SASL auth again. Its 
for the new connections i.e if the kerberos ticket is not renewed we won't be 
able to establish a new connection . We don't invalidate the already 
established sasl connection. I don't see a reason to do this. If for any reason 
someone wants to un-authorize a session thats already established they can do 
so via Authorizer and remove the permissions. Can you give me the details of 
the use case you are looking at.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-25 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14973752#comment-14973752
 ] 

Jun Rao commented on KAFKA-1686:


[~sriharsha], I was thinking what happens when a user is removed from KDC or 
the user's life time has expired. The solution that you mentioned based on 
Authorizer will work. However, it seems that in those cases, it would be more 
natural if existing connections can just expire. Is this how ZK sasl works (cc 
[~fpj])? 

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14964807#comment-14964807
 ] 

ASF GitHub Bot commented on KAFKA-1686:
---

GitHub user ijuma opened a pull request:

https://github.com/apache/kafka/pull/334

KAFKA-1686; Implement SASL/Kerberos

This PR implements SASL/Kerberos which was originally submitted by 
@harshach as https://github.com/apache/kafka/pull/191.

I've been submitting PRs to Harsha's branch with fixes and improvements and 
he has integrated all, but the most recent one. I'm creating this PR so that 
the Jenkins can run the tests on the branch (they pass locally).

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/ijuma/kafka KAFKA-1686-V1

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/kafka/pull/334.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #334


commit 82737e5bb71f67271d90c059dede74935f8a5e56
Author: Sriharsha Chintalapani 
Date:   2015-08-31T23:07:15Z

KAFKA-1686. Implement SASL/Kerberos.

commit a3417d7f2c558c0082799b117a3c62c706ad519d
Author: Sriharsha Chintalapani 
Date:   2015-09-03T03:31:34Z

KAFKA-1686. Implement SASL/Kerberos.

commit 8f718ce6b03a9c86712dc8f960af2b739b8ed510
Author: Sriharsha Chintalapani 
Date:   2015-09-03T04:10:40Z

KAFKA-1686. Implement SASL/Kerberos.

commit aa928952305a31c5b6e2bac705d350f94c9f7501
Author: Sriharsha Chintalapani 
Date:   2015-09-03T13:48:47Z

Added licesense.

commit f178107b516af414162634fc7253cedd2a6a3bf5
Author: Sriharsha Chintalapani 
Date:   2015-09-03T13:57:57Z

KAFKA-1686. Implement SASL/Kerberos.

commit 71b6fdbc841cffd5279eb2044c4da69acc172626
Author: Sriharsha Chintalapani 
Date:   2015-10-03T23:09:23Z

Merge remote-tracking branch 'refs/remotes/origin/trunk' into KAFKA-1686-V1

commit 9d260c67472296d752f74bc04eefb1e95b6b9746
Author: Sriharsha Chintalapani 
Date:   2015-10-04T18:36:52Z

KAFKA-1686. Fixes after the merge.

commit 5723dd2a392a307cfd6484c1f3f7c32cc8891940
Author: Sriharsha Chintalapani 
Date:   2015-10-09T06:43:51Z

KAFKA-1686. Addressing comments.

commit 8cf30d0b3a0aefa08cb9d86d59f0f16d810d7481
Author: Ismael Juma 
Date:   2015-10-09T07:36:19Z

Merge remote-tracking branch 'apache/trunk' into KAFKA-1686-V1

* apache/trunk:
  KAFKA-2596: reject commits from unknown groups with positive generations
  MINOR: typing ProcessorDef
  KAFKA-2477: Fix a race condition between log append and fetch that causes 
OffsetOutOfRangeException.
  KAFKA-2428: Add sanity check in KafkaConsumer for the timeouts
  Kafka-2587:  Only notification handler will update the cache and all 
verifications will use waitUntilTrue.
  KAFKA-2419; Garbage collect unused sensors
  KAFKA-2534: Fixes and unit tests for SSLTransportLayer buffer overflow
  KAFKA-2476: Add Decimal, Date, and Timestamp logical types.
  KAFKA-2474: Add caching of JSON schema conversions to JsonConverter
  KAFKA-2482: Allow sink tasks to get their current assignment, as well as 
pause and resume topic partitions.
  KAFKA-2573: Mirror maker system test hangs and eventually fails
  KAFKA-2599: Fix Metadata.getClusterForCurrentTopics throws NPE
  TRIVIAL: remove TODO in KafkaConsumer after KAFKA-2120
  HOTFIX: Persistent store in ProcessorStateManagerTest
  KAFKA-2604; Remove `completeAll` and improve timeout passed to 
`Selector.poll` from `NetworkClient.poll`
  KAFKA-2601; ConsoleProducer tool shows stacktrace on invalid command 
parameters

commit 2596c4a668f7095f4cfce36b34504c50f4603631
Author: Ismael Juma 
Date:   2015-10-09T12:21:05Z

Remove unused code, fix formatting and minor javadoc tweaks

commit 2919bc3ae474b3e27ca5cb0c75e4cff0fee9ca93
Author: Ismael Juma 
Date:   2015-10-09T12:23:17Z

Fix bad merge in `TestUtils`

commit 9ed1a2635d97c290e42b723ce8db2bf60c1c6440
Author: Ismael Juma 
Date:   2015-10-09T12:23:46Z

Remove -XX:-MaxFDLimit from `gradle.properties`

commit 2d2fcecb7bda62519d36d4f71a955cf55c8bbd2a
Author: Ismael Juma 
Date:   2015-10-09T12:36:06Z

Support `SSLSASL` in `ChannelBuilders`, reduce duplication in `TestUtils` 
and clean-up `SaslTestHarness`

commit 6a13667232c2946ed92fdebcb467f27d6adf075f
Author: Harsha 
Date:   2015-10-09T14:16:30Z

Merge pull request #1 from ijuma/KAFKA-1686-V1

Merge trunk and a few improvements and fixes

commit

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14965776#comment-14965776
 ] 

ASF GitHub Bot commented on KAFKA-1686:
---

Github user asfgit closed the pull request at:

https://github.com/apache/kafka/pull/334


> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-20 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14965789#comment-14965789
 ] 

Jun Rao commented on KAFKA-1686:


[~sriharsha], thanks a lot of the patch. I committed the sasl patch using the 
PR (#334) from Ismael. Please take a look and see if you see any issues. We 
have filed KAFKA-2675 to address any followup items.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-20 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14965975#comment-14965975
 ] 

Jun Rao commented on KAFKA-1686:


Also, [~sriharsha], could you write up a wiki of using SASL like you did for 
SSL? Thanks,

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-20 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14966076#comment-14966076
 ] 

ASF GitHub Bot commented on KAFKA-1686:
---

Github user harshach closed the pull request at:

https://github.com/apache/kafka/pull/191


> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-20 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14966059#comment-14966059
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~junrao] working on it. I'll post it on the wiki.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-10-05 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14943620#comment-14943620
 ] 

Jun Rao commented on KAFKA-1686:


[~sriharsha], any updates on the PR? Thanks.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-09-22 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14903804#comment-14903804
 ] 

Jun Rao commented on KAFKA-1686:


[~sriharsha], when do you think your updated PR will be ready? The 0.9.0 
release time is getting pretty close.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-09-22 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14903836#comment-14903836
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~junrao] need a 2 days will update the pr. Sorry for the delay.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-09-16 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14790744#comment-14790744
 ] 

Jun Rao commented on KAFKA-1686:


Thanks. For ssl, this doc 
(https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html)
 has been very helpful for understanding the implementation. Is there a similar 
thing for sasl?

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-09-15 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14746853#comment-14746853
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~junrao] Yes. Will post updated PR soon. What you mean by reference doc here? 
its a standard sasl implementation.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-09-15 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14746831#comment-14746831
 ] 

Jun Rao commented on KAFKA-1686:


[~harsha_ch], are you still working on this jira? Also, what reference doc have 
you been following to do the implementation?

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.9.0.0
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-09-08 Thread Rajini Sivaram (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14734905#comment-14734905
 ] 

Rajini Sivaram commented on KAFKA-1686:
---

The current implementation uses GSSAPI as the only hard-coded SASL mechanism. 
We are keen to use SASL/PLAIN. Would it be possible to make the SASL mechanism 
configurable? This task does say "Implement SASL/Kerberos", so if it would be 
better to open a new task for Sasl/PLAIN, that would be fine too. But it will 
be good to separate out the Kerberos mechanism related code from the main SASL 
client/server codepath to make it easier to support multiple mechanisms.

We would like to use SSL as the transport layer with SASL/PLAIN for client 
authentication. I think that would be a straightforward new SecurityProtocol 
(SSL_SASL) that combines SSLTransportLayer with SaslAuthenticator. Are you 
planning to add this combination under this task?


> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.8.3
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-09-08 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14734918#comment-14734918
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~rsivaram] Yes I'll make it as configurable option . The current patch is 
going through cleanup and adding more config options.
yes I'll add SSLSASL as well.

> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.8.3
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-09-02 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14728472#comment-14728472
 ] 

ASF GitHub Bot commented on KAFKA-1686:
---

GitHub user harshach opened a pull request:

https://github.com/apache/kafka/pull/191

KAFKA-1686: Implement SASL/Kerberos.



You can merge this pull request into a Git repository by running:

$ git pull https://github.com/harshach/kafka KAFKA-1686-V1

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/kafka/pull/191.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #191


commit 82737e5bb71f67271d90c059dede74935f8a5e56
Author: Sriharsha Chintalapani 
Date:   2015-08-31T23:07:15Z

KAFKA-1686. Implement SASL/Kerberos.

commit a3417d7f2c558c0082799b117a3c62c706ad519d
Author: Sriharsha Chintalapani 
Date:   2015-09-03T03:31:34Z

KAFKA-1686. Implement SASL/Kerberos.

commit 8f718ce6b03a9c86712dc8f960af2b739b8ed510
Author: Sriharsha Chintalapani 
Date:   2015-09-03T04:10:40Z

KAFKA-1686. Implement SASL/Kerberos.




> Implement SASL/Kerberos
> ---
>
> Key: KAFKA-1686
> URL: https://issues.apache.org/jira/browse/KAFKA-1686
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Affects Versions: 0.8.2.1
>Reporter: Jay Kreps
>Assignee: Sriharsha Chintalapani
>Priority: Blocker
> Fix For: 0.8.3
>
>
> Implement SASL/Kerberos authentication.
> To do this we will need to introduce a new SASLRequest and SASLResponse pair 
> to the client protocol. This request and response will each have only a 
> single byte[] field and will be used to handle the SASL challenge/response 
> cycle. Doing this will initialize the SaslServer instance and associate it 
> with the session in a manner similar to KAFKA-1684.
> When using integrity or encryption mechanisms with SASL we will need to wrap 
> and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
> SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-08-23 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14708544#comment-14708544
 ] 

Jun Rao commented on KAFKA-1686:


[~sriharsha], in KAFKA-2210, [~parth.brahmbhatt] is extending KafkaPrincipal 
with a principal type (e.g., user, group). With SASL, many people probably want 
to do role based authorization management. Do you know typically how the role 
information is passed in to the server? Do we get the role as part of the SASL 
authentication of the client?

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.8.2.1
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.8.3


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-08-23 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14708588#comment-14708588
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~junrao] what you mean by role based authorization here. In Sasl you get 
clients authorizationID which is a kerberos principal. In hadoop ( hdfs, hbase 
 others) you take the principal and try to use pluggable group mapping service 
to grab linux user group or ldap group and make authorization extend not just 
to user but also group the user belongs to.

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.8.2.1
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.8.3


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-08-23 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14708750#comment-14708750
 ] 

Jun Rao commented on KAFKA-1686:


[~sriharsha], yes, I was referring to integration with group management in 
services like ldap or active directory. So, you are saying that the principal 
type in a client session should always be USER?

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.8.2.1
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.8.3


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-08-23 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14708752#comment-14708752
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~junrao] Yes it should be USER.

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.8.2.1
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.8.3


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-08-10 Thread Ismael Juma (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14679764#comment-14679764
 ] 

Ismael Juma commented on KAFKA-1686:


[~sriharsha], I changed the target version to 0.8.3. Please let me know if you 
disagree with this.

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.8.2.1
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.8.3


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-06-27 Thread zhiwei (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14604464#comment-14604464
 ] 

zhiwei commented on KAFKA-1686:
---

Hi Sriharsha Chintalapani,  any progress you can share ?

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-06-27 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14604487#comment-14604487
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~zhiwei] KAFKA-1690 getting closer to merge in. Ill post a patch asap after 
that gets in. 

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-05-27 Thread Dave Ariens (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14561459#comment-14561459
 ] 

Dave Ariens commented on KAFKA-1686:


Hi [~sriharsha], we're eagerly anticipating this enhancement over at 
BlackBerry--has there been any progress you can share beyond what's available 
in this ticket?  When might we able to enjoy some experimental builds with 
Kerberos support?

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2015-05-27 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14561509#comment-14561509
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~ariens] community is currently reviewing ssl patch over KAFKA-1690. Once 
thats gets in I'll submit sasl auth as well . Due to current discussions the 
interfaces are being changed hence the delay in submitting this patch. Also 
there are patches available for authorizer implementation KAFKA-1688. 

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2014-11-04 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196392#comment-14196392
 ] 

Jun Rao commented on KAFKA-1686:


Another question that I have is on the authentication of the followers. Each 
broker potentially needs to replicate messages from all other brokers and need 
the read access to all topics. Do we need to create a user for every broker and 
manually grant it the readALL permission before the broker can be added to a 
Kafka cluster? That may not be very convenient. Another way is to let all 
follower fetch request pass through w/o checking permissions at all.

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2014-11-04 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196422#comment-14196422
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

[~junrao] I was thinking of using jaas.conf which is what we used for storm 
http://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html.
It allows the service to renewTGT. Kerberos tickets can be valid for more than 
10hrs it depends the config /etc/krb5.conf. We can have renewTicket thread that 
checks for the current ticket_lifetime and renew_lifetime and renews if the 
current ticket lifetime expired.
Each broker will run with its own keytab kafkabroker/_HOST@REALM. If you are 
using service keytab they should've grant all permissions  in permissions 
manager. This could be as simple as setting a config option in permission 
manager where you can whitelist a principal as admin and use that principal for 
brokers. 
For example:
  kafka.admins: kafkabroker
and run all the brokers with kafkabroker/_HOST@REALM.
User needs to be careful in setting keytab permissions so that service keytabs 
cannot be accessed by regular user to impersonate a kafkabroker and gain all 
access. 

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2014-11-04 Thread Gwen Shapira (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14196433#comment-14196433
 ] 

Gwen Shapira commented on KAFKA-1686:
-

yes, +1 for a keytab for each broker as described by [~harsha_ch] and the 
renewTicket thread design.

Authorization is a different issue (and separate JIRA), but I can imagine 
having a separate role for brokers that lets them do anything on any topic.



 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2014-11-03 Thread Sriharsha Chintalapani (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194618#comment-14194618
 ] 

Sriharsha Chintalapani commented on KAFKA-1686:
---

Hi [~gwenshap] sorry for the late reply. I haven't started on this JIRA and 
probably for another week atleast I won't be able to work on it.
 It looks like the first step must be to authenticate Kafka broker  itself 
with Kerberos. 
Yes this can be a separate piece and make it into its own JIRA. I'll look into 
KAFKA-1684 and update the JIRA soon with implementation details.

 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2014-11-03 Thread Gwen Shapira (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14194818#comment-14194818
 ] 

Gwen Shapira commented on KAFKA-1686:
-

An existing long-lived connection doesn't require renewing, since the ticket is 
only validated on the initial handshake.
(Yes, it does make it difficult to invalidate clients, but this is pretty 
normal for most kerberized services)
If the connection drops or the client needs another connection (perhaps when 
rebalancing?), the client needs to renew the ticket and present a new one.


 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-1686) Implement SASL/Kerberos

2014-10-30 Thread Gwen Shapira (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-1686?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14191258#comment-14191258
 ] 

Gwen Shapira commented on KAFKA-1686:
-

Hi [~harsha_ch],

I assume you already started work on this (but no pressure if you didn't. we 
are all busy).
I have few questions if you don't mind:

1. How are you adding the additional authentication information to 
SocketChannel? I discussed few options in KAFKA-1684, perhaps you can comment 
on how your approach compares. If you are inspired by a specific ecosystem 
project, perhaps you can share your reference too.

2. It looks like the first step must be to authenticate Kafka broker itself 
with Kerberos (otherwise it can't accept client connections at all). This can 
be a separate piece that can be committed and tested on its own. Do you think 
its worth while splitting this patch? I'm hoping that the smaller stand-alone 
components we can get, the easier it will be to get this work committed.



 Implement SASL/Kerberos
 ---

 Key: KAFKA-1686
 URL: https://issues.apache.org/jira/browse/KAFKA-1686
 Project: Kafka
  Issue Type: Sub-task
  Components: security
Affects Versions: 0.9.0
Reporter: Jay Kreps
Assignee: Sriharsha Chintalapani
 Fix For: 0.9.0


 Implement SASL/Kerberos authentication.
 To do this we will need to introduce a new SASLRequest and SASLResponse pair 
 to the client protocol. This request and response will each have only a 
 single byte[] field and will be used to handle the SASL challenge/response 
 cycle. Doing this will initialize the SaslServer instance and associate it 
 with the session in a manner similar to KAFKA-1684.
 When using integrity or encryption mechanisms with SASL we will need to wrap 
 and unwrap bytes as in KAFKA-1684 so the same interface that covers the 
 SSLEngine will need to also cover the SaslServer instance.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)