[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-11-03 Thread Rajini Sivaram (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14987208#comment-14987208
 ] 

Rajini Sivaram commented on KAFKA-2658:
---

[~junrao]  We are clearly very near the deadline for Kafka 0.9.0.0 and 
understand reluctance to include such a large patch, even though the majority 
is test code. It is very important for us to be able to provide authentication 
credentials using SASL but we do not use Kerberos. We were just wondering 
whether it might be possible to include a minimal patch to allow SASL providers 
to be plugged in on client and server. If that was acceptable we could provide 
the patch today. If there is anything at all we could do to alleviate your 
concerns on inclusion of this patch please let us know.

Failing that we look forward to working with you to accept the existing patch 
for inclusion shortly after Kafka 0.9.0.0 branch is cut. Thank you...


> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-11-03 Thread Rajini Sivaram (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14987381#comment-14987381
 ] 

Rajini Sivaram commented on KAFKA-2658:
---

[~junrao] The minimal changeset referred to in the comment above that would 
enable us to integrate Kafka 0.9.0.0 with our authentication service is in the 
branch KAFKA-2658-minimal in the repository 
https://github.com/rajinisivaram/kafka. You can view the changes here: 
https://github.com/apache/kafka/compare/trunk...rajinisivaram:KAFKA-2658-minimal.
 Please let me know if it would be possible to integrate this into 0.9.0.0. If 
so, I can submit a PR today. Thank you...

> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-11-02 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14985663#comment-14985663
 ] 

Jun Rao commented on KAFKA-2658:


[~rsivaram], we had a chat with a security consulting firm last week. It 
actually strongly discourages the support of SASL/PLAIN in Kafka. The main 
reason is that the plain password is not encrypted during the wire transfer and 
can create a security loophole. Instead, it's better to support CRAM-MD5, which 
is more secure. Given that, I don't think we can include this in 0.9.0.0.

> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-11-02 Thread Rajini Sivaram (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14985751#comment-14985751
 ] 

Rajini Sivaram commented on KAFKA-2658:
---

[~junrao] As described in the RFC for SASL/PLAIN 
(https://tools.ietf.org/html/rfc4616), PLAIN mechanism is intended for use with 
a secure transport protocol like TLS. I dont believe CRAM-MD5 is secure enough 
to use without TLS either. WIth TLS, unencrypted password in SASL/PLAIN 
shouldn't be a concern.

> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-11-02 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14985939#comment-14985939
 ] 

Jun Rao commented on KAFKA-2658:


[~rsivaram], yes, perhaps enforcing that SASL/PLAIN can only be used with TLS 
will work. Perhaps it's worth discussing that in a separate KIP so that we can 
get feedback from people more familiar with security. In any case, given the 
release timeline, it's probably too late to include this jira in 0.9.0.

> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-10-26 Thread Rajini Sivaram (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14973909#comment-14973909
 ] 

Rajini Sivaram commented on KAFKA-2658:
---

[~junrao] Can we include this in 0.9.0.0? I can submit ducktape tests for 
SASL/PLAIN later today if the implementation can be included in the release.

> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-10-26 Thread Jun Rao (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14974374#comment-14974374
 ] 

Jun Rao commented on KAFKA-2658:


[~rsivaram], thanks for the patch. Will take a look today.

> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-10-21 Thread Rajini Sivaram (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14967340#comment-14967340
 ] 

Rajini Sivaram commented on KAFKA-2658:
---

[~ijuma] [~harsha_ch] [~junrao] Do you have time to review this PR? I 
refactored some unit test code to reuse them for Sasl tests, so the changeset 
looks bigger than the actual code changes. The main change is the config option 
for Sasl mechanism and the addition of SASL/PLAIN support. It would be of great 
help to us if this can be included in 0.9.0.0. Thank you...

> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN

2015-10-21 Thread ASF GitHub Bot (JIRA) 

[ 
https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14966652#comment-14966652
 ] 

ASF GitHub Bot commented on KAFKA-2658:
---

GitHub user rajinisivaram opened a pull request:

https://github.com/apache/kafka/pull/341

KAFKA-2658: Add PLAIN mechanism to SASL implementation

Implementation and unit tests for SASL/PLAIN. A simple login module and 
SaslServer implementation for PLAIN mechanism are included in the 
implementation, but these can be replaced to integrate with authentication 
servers.

You can merge this pull request into a Git repository by running:

$ git pull https://github.com/rajinisivaram/kafka KAFKA-2658

Alternatively you can review and apply these changes as the patch at:

https://github.com/apache/kafka/pull/341.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

This closes #341


commit c15bc552b71ccff1e99f32173b211f0e6efb46ab
Author: Rajini Sivaram 
Date:   2015-10-21T10:50:42Z

KAFKA-2658: Add PLAIN mechanism to SASL implementation




> Implement SASL/PLAIN
> 
>
> Key: KAFKA-2658
> URL: https://issues.apache.org/jira/browse/KAFKA-2658
> Project: Kafka
>  Issue Type: Sub-task
>  Components: security
>Reporter: Rajini Sivaram
>Assignee: Rajini Sivaram
>Priority: Critical
> Fix For: 0.9.0.0
>
>
> KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL 
> mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with 
> SSL provides a secure Kafka that uses username/password for client 
> authentication.
> SASL/PLAIN protocol and its uses are described in 
> [https://tools.ietf.org/html/rfc4616]. It is supported in Java.
> This should be implemented after KAFKA-1686. This task should also hopefully 
> enable simpler unit testing of the SASL code.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)