[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14987208#comment-14987208 ] Rajini Sivaram commented on KAFKA-2658: --- [~junrao] We are clearly very near the deadline for Kafka 0.9.0.0 and understand reluctance to include such a large patch, even though the majority is test code. It is very important for us to be able to provide authentication credentials using SASL but we do not use Kerberos. We were just wondering whether it might be possible to include a minimal patch to allow SASL providers to be plugged in on client and server. If that was acceptable we could provide the patch today. If there is anything at all we could do to alleviate your concerns on inclusion of this patch please let us know. Failing that we look forward to working with you to accept the existing patch for inclusion shortly after Kafka 0.9.0.0 branch is cut. Thank you... > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14987381#comment-14987381 ] Rajini Sivaram commented on KAFKA-2658: --- [~junrao] The minimal changeset referred to in the comment above that would enable us to integrate Kafka 0.9.0.0 with our authentication service is in the branch KAFKA-2658-minimal in the repository https://github.com/rajinisivaram/kafka. You can view the changes here: https://github.com/apache/kafka/compare/trunk...rajinisivaram:KAFKA-2658-minimal. Please let me know if it would be possible to integrate this into 0.9.0.0. If so, I can submit a PR today. Thank you... > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14985663#comment-14985663 ] Jun Rao commented on KAFKA-2658: [~rsivaram], we had a chat with a security consulting firm last week. It actually strongly discourages the support of SASL/PLAIN in Kafka. The main reason is that the plain password is not encrypted during the wire transfer and can create a security loophole. Instead, it's better to support CRAM-MD5, which is more secure. Given that, I don't think we can include this in 0.9.0.0. > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14985751#comment-14985751 ] Rajini Sivaram commented on KAFKA-2658: --- [~junrao] As described in the RFC for SASL/PLAIN (https://tools.ietf.org/html/rfc4616), PLAIN mechanism is intended for use with a secure transport protocol like TLS. I dont believe CRAM-MD5 is secure enough to use without TLS either. WIth TLS, unencrypted password in SASL/PLAIN shouldn't be a concern. > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14985939#comment-14985939 ] Jun Rao commented on KAFKA-2658: [~rsivaram], yes, perhaps enforcing that SASL/PLAIN can only be used with TLS will work. Perhaps it's worth discussing that in a separate KIP so that we can get feedback from people more familiar with security. In any case, given the release timeline, it's probably too late to include this jira in 0.9.0. > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14973909#comment-14973909 ] Rajini Sivaram commented on KAFKA-2658: --- [~junrao] Can we include this in 0.9.0.0? I can submit ducktape tests for SASL/PLAIN later today if the implementation can be included in the release. > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14974374#comment-14974374 ] Jun Rao commented on KAFKA-2658: [~rsivaram], thanks for the patch. Will take a look today. > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14967340#comment-14967340 ] Rajini Sivaram commented on KAFKA-2658: --- [~ijuma] [~harsha_ch] [~junrao] Do you have time to review this PR? I refactored some unit test code to reuse them for Sasl tests, so the changeset looks bigger than the actual code changes. The main change is the config option for Sasl mechanism and the addition of SASL/PLAIN support. It would be of great help to us if this can be included in 0.9.0.0. Thank you... > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-2658) Implement SASL/PLAIN
[ https://issues.apache.org/jira/browse/KAFKA-2658?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14966652#comment-14966652 ] ASF GitHub Bot commented on KAFKA-2658: --- GitHub user rajinisivaram opened a pull request: https://github.com/apache/kafka/pull/341 KAFKA-2658: Add PLAIN mechanism to SASL implementation Implementation and unit tests for SASL/PLAIN. A simple login module and SaslServer implementation for PLAIN mechanism are included in the implementation, but these can be replaced to integrate with authentication servers. You can merge this pull request into a Git repository by running: $ git pull https://github.com/rajinisivaram/kafka KAFKA-2658 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/341.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #341 commit c15bc552b71ccff1e99f32173b211f0e6efb46ab Author: Rajini SivaramDate: 2015-10-21T10:50:42Z KAFKA-2658: Add PLAIN mechanism to SASL implementation > Implement SASL/PLAIN > > > Key: KAFKA-2658 > URL: https://issues.apache.org/jira/browse/KAFKA-2658 > Project: Kafka > Issue Type: Sub-task > Components: security >Reporter: Rajini Sivaram >Assignee: Rajini Sivaram >Priority: Critical > Fix For: 0.9.0.0 > > > KAFKA-1686 supports SASL/Kerberos using GSSAPI. We should enable more SASL > mechanisms. SASL/PLAIN would enable a simpler use of SASL, which along with > SSL provides a secure Kafka that uses username/password for client > authentication. > SASL/PLAIN protocol and its uses are described in > [https://tools.ietf.org/html/rfc4616]. It is supported in Java. > This should be implemented after KAFKA-1686. This task should also hopefully > enable simpler unit testing of the SASL code. -- This message was sent by Atlassian JIRA (v6.3.4#6332)