I think it is acceptable for KIP-11 to allow additional network based
authorization. However I do feel that most user will want something
simpler and thus I don't feel KIP-11 should require network based
authorization by default.
For example postgres allows something similar to what is being
I'd like to add that HDFS has had ACLs + RBAC + global IP white/black list
for years now.
We did not notice any customers confusing the features. I've seen customers
use each feature for different purposes.
Actually, the only system I am aware of that integrated IP access controls
together with
Parth,
I think it's important to understand the timing of both the initial JIRA
and the KIP, it helps put my comments in proper context.
The initial JIRA for this was created back in December, so the timeline for
1688/KIP-11 was pretty unclear. KIP-7 came out when we started doing KIPs,
back in
Hey Jun,
The intent was for the same functionality to be utilized when 1688 is done,
as mentioned in the KIP:
The broader security initiative http://kafka-1682/ will add more robust
controls for these types of environments, and this proposal could be
integrated with that work at the appropriate
I can confirm that KAFKA-1688 will cover this use case. Please go over
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+In
terface and let me know if you think there is a different use case being
covered by KIP-7.
Thanks
Parth
On 3/20/15, 9:26 AM, Jun Rao
I am not entirely sure what you mean by integrating KIP-7 work with
KAFKA-1688. Wouldn¹t the work done as part of KIP-7 become obsolete once
KAFKA-1688 is done? Multiple ways of controlling these authorization just
seems extra configuration that will confuse admins/users.
If timing is the only
Yes, we can discuss the implementation separately.
As for the proposal itself, have you looked at KAFKA-1688? Could this just
be a special case for authorization and be included there?
Thanks,
Jun
On Wed, Mar 18, 2015 at 6:26 PM, Jeff Holoman jholo...@cloudera.com wrote:
One other thought.
Right, if this KIP is subsumed by KIP-7, perhaps we just need to wait until
KIP-7 is done? If we add the small change now, we will have to worry about
migrating existing users and deprecating some configs when KIP-7 is done.
Thanks,
Jun
On Fri, Mar 20, 2015 at 10:36 AM, Parth Brahmbhatt
I am guessing in your last reply you meant KIP-11. And yes, I think KIP-11
subsumed KIP-7 so if we can finish KIP-11 we should not need KIP=7 but I
will let Jeff confirm that,
Thanks
Parth
On 3/20/15, 2:32 PM, Jun Rao j...@confluent.io wrote:
Right, if this KIP is subsumed by KIP-7, perhaps we
The proposal sounds reasonable. Timing wise, since we plan to refactor the
network layer code in the broker, perhaps this can wait until KAFKA-1928 is
done?
Thanks,
Jun
On Tue, Mar 17, 2015 at 6:56 AM, Jeff Holoman jholo...@cloudera.com wrote:
bump
On Tue, Mar 3, 2015 at 8:12 PM, Jeff
bump
On Tue, Mar 3, 2015 at 8:12 PM, Jeff Holoman jholo...@cloudera.com wrote:
Guozhang,
The way the patch is implemented, the check is done in the acceptor thread
accept() method of the Socket Server, just before connectionQuotas.
Thanks
Jeff
On Tue, Mar 3, 2015 at 7:59 PM, Guozhang
Details in the wiki.
https://cwiki.apache.org/confluence/display/KAFKA/KIP-7+-+Security+-+IP+Filtering
--
Jeff Holoman
Systems Engineer
+1 (non-binding)
On 3/3/15, 1:17 PM, Gwen Shapira gshap...@cloudera.com wrote:
+1 (non-binding)
On Tue, Mar 3, 2015 at 12:44 PM, Jeff Holoman jholo...@cloudera.com
wrote:
Details in the wiki.
https://cwiki.apache.org/confluence/display/KAFKA/KIP-7+-+Security+-+IP+F
iltering
--
Jeff
+1 (non-binding)
On Tue, Mar 3, 2015 at 12:44 PM, Jeff Holoman jholo...@cloudera.com wrote:
Details in the wiki.
https://cwiki.apache.org/confluence/display/KAFKA/KIP-7+-+Security+-+IP+Filtering
--
Jeff Holoman
Systems Engineer
Jeff,
I am wondering if the IP filtering rule can be enforced at the socket
server level instead of the Kafka API level?
Guozhang
On Tue, Mar 3, 2015 at 2:24 PM, Jiangjie Qin j...@linkedin.com.invalid
wrote:
+1 (non-binding)
On 3/3/15, 1:17 PM, Gwen Shapira gshap...@cloudera.com wrote:
+1
Guozhang,
The way the patch is implemented, the check is done in the acceptor thread
accept() method of the Socket Server, just before connectionQuotas.
Thanks
Jeff
On Tue, Mar 3, 2015 at 7:59 PM, Guozhang Wang wangg...@gmail.com wrote:
Jeff,
I am wondering if the IP filtering rule can be
16 matches
Mail list logo
