Kuttaiah created KAFKA-9486:
---
Summary: Kafka Security
Key: KAFKA-9486
URL: https://issues.apache.org/jira/browse/KAFKA-9486
Project: Kafka
Issue Type: Bug
Components: security
://github.com/apache/kafka/pull/7090
> Add java security providers in Kafka Security config
>
>
> Key: KAFKA-8669
> URL: https://issues.apache.org/jira/browse/KAFKA-8669
> Project: Kafka
>
good discussion
> > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about
> the
> > KIP
> > <
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config
> >,
> > I'm starti
On 2019/07/29 19:22:02, Sandeep Mopuri wrote:
> Hi all, after some good discussion
> <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about the
> KIP
> <https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Se
Mopuri ,
> > > wrote:
> > > > > Hi all, after some good discussion
> > > > > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html>
> > > about the
> > > > > KIP
> > > > > <
> > >
> >
>
; > Harsha
> > > On Jul 29, 2019, 12:22 PM -0700, Sandeep Mopuri ,
> > wrote:
> > > > Hi all, after some good discussion
> > > > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html>
> > about the
> > > > KIP
> > >
> > > KIP
> > > <
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config
> >,
> > > I'm starting the voting.
> > >
> > > This KIP proposes adding new security configuration to accept custom
> > > security providers that can provide algorithms for SSL or SASL.
> > >
> > > --
> > > Thanks,
> > > M.Sai Sandeep
>
; > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about the
> > KIP
> > <https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config>,
> > I'm starting the voting.
> >
> > Thi
display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config>,
> I'm starting the voting.
>
> This KIP proposes adding new security configuration to accept custom
> security providers that can provide algorithms for SSL or SASL.
>
> --
> Thanks,
> M.Sai Sandeep
Hi all, after some good discussion
<https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about the
KIP
<https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config>,
I'm starting the voting.
This KIP proposes adding
gt; > > > > > > > >
> > > > > > > > > >>“To take advantage of these custom algorithms, we want to
> > > > support
> > > > > > > java
> > > > > &g
> > > > > > The
> > > > > > > > security providers can also be used for configuring security
> > > > > > algorithms in
> > > > > > > > SASL based communication.”
> >
curity.provider.class”. The value of “security.provider” is
> > > > > expected to
> > > > > > > be a string representing the provider’s full classname. This
> > provider
> > > > > class
>
; > > > > > It is good to have this property as a list of providers instead
> of a
> > > > > > single property. This will allow configuring multiple providers
> if it
> > > > > > is needed in the future without introducing hacky solutions like
&
nfiguring multiple providers if it
> > > > > is needed in the future without introducing hacky solutions like
> > > > > security.provider.class.name.x, where x is a sequence number. You
> > can
> > > > > change the property name to “security.provi
properties section:
> > > > “ssl.provider” instead of “ssl.providers”.
> > > >
> > > > Thanks,
> > > > Satish.
> > > >
> > > > 1. https://github.com/spiffe/java-spiffe
> > > >
> > > >
> > > > On Mon, Jul 15, 2019 at 11:41 AM Sandeep Mopuri
> > wrote:
> > > > >
> > > > > Hello all,
> > > > >
> > > > > I'd like to start a discussion thread for KIP-492.
> > > > > This KIP plans on introducing a new security config parameter for a
> > > > custom
> > > > > security providers. Please take a look and let me know what do you
> > think.
> > > > >
> > > > > More information can be found here:
> > > > >
> > > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config
> > > > > --
> > > > > Thanks,
> > > > > Sai Sandeep
> > > >
> > >
> > >
> > > --
> > > Thanks,
> > > M.Sai Sandeep
> > >
> >
>
--
Thanks,
M.Sai Sandeep
--
Thanks,
M.Sai Sandeep
> On Mon, Jul 15, 2019 at 11:41 AM Sandeep Mopuri
> wrote:
> > > >
> > > > Hello all,
> > > >
> > > > I'd like to start a discussion thread for KIP-492.
> > > > This KIP plans on introducing a new security config parameter for a
> > > custom
> > > > security providers. Please take a look and let me know what do you
> think.
> > > >
> > > > More information can be found here:
> > > >
> > >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config
> > > > --
> > > > Thanks,
> > > > Sai Sandeep
> > >
> >
> >
> > --
> > Thanks,
> > M.Sai Sandeep
> >
>
discussion thread for KIP-492.
> > > This KIP plans on introducing a new security config parameter for a
> > custom
> > > security providers. Please take a look and let me know what do you think.
> > >
> > > More information can be found here:
> > >
> > https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config
> > > --
> > > Thanks,
> > > Sai Sandeep
> >
>
>
> --
> Thanks,
> M.Sai Sandeep
>
custom
> > security providers. Please take a look and let me know what do you think.
> >
> > More information can be found here:
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config
> > --
> > Thanks,
> > Sai Sandeep
>
--
Thanks,
M.Sai Sandeep
a new security config parameter for a custom
> security providers. Please take a look and let me know what do you think.
>
> More information can be found here:
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config
> --
> Thanks,
> Sai Sandeep
/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config
--
Thanks,
Sai Sandeep
Sai Sandeep created KAFKA-8669:
--
Summary: Add java security providers in Kafka Security config
Key: KAFKA-8669
URL: https://issues.apache.org/jira/browse/KAFKA-8669
Project: Kafka
Issue Type
1. Kafka security features (Kerberos , ACL's) are beta quality code or can
they be used in production?
Because Kafka documentation shows they are of beta code quality.
We need to update the document. But Authorizer feature released as part of
0.9.0. We have lot of deployments using
Hi All,
Could you please provide below information.
1. Kafka security features (Kerberos , ACL's) are beta quality code or can
they be used in production?
Because Kafka documentation shows they are of beta code quality.
>From Apache Kafka Documentation "In release 0.9.0.0, the Kafka c
Basically, 0.8.3 has been renamed to 0.9.0. The plan is to include security
in the 0.9 release which should happen once all the blocker bugs have been
resolved and testing is complete (committers can provide more accurate
timelines).
On Fri, Sep 25, 2015 at 10:35 AM, Whitney, Adam
My guess is that we might be able to get security and consumer work in by
November for the 0.9 release.
On Fri, Sep 25, 2015 at 10:44 AM, Aditya Auradkar <
aaurad...@linkedin.com.invalid> wrote:
> Basically, 0.8.3 has been renamed to 0.9.0. The plan is to include security
> in the 0.9 release
Hello Kafka Developers,
I’m looking for a queuing solution and Kafka is very near the top of my list …
except that security is a primary concern (see the domain my email is coming
from ;-)
I’m a little confused about when security is going to be part of Kafka and in
what release. On the
Parth,
Thanks for driving this. Could you update the status of the KIP in the wiki?
Thanks,
Jun
On Wed, May 20, 2015 at 2:37 PM, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
This vote is now Closed with 4 binding +1s and 4 non binding +1s.
Thanks
Parth
On 5/20/15, 12:04 PM, Joel
I am sorry to be ignorant about this but what is the new state? Adopted
seems too early given we are still in code review process. Should I just
make it ³Code review²?
Thanks
Parth
On 5/21/15, 8:43 AM, Jun Rao j...@confluent.io wrote:
Parth,
Thanks for driving this. Could you update the status
The KIP and design were accepted, so the WIKI should say accepted or
something similar.
Specific patch status is reflected in the JIRA.
On Thu, May 21, 2015 at 8:37 PM, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
I am sorry to be ignorant about this but what is the new state? Adopted
This vote is now Closed with 4 binding +1s and 4 non binding +1s.
Thanks
Parth
On 5/20/15, 12:04 PM, Joel Koshy jjkosh...@gmail.com wrote:
+1
On Fri, May 15, 2015 at 04:18:49PM +, Parth Brahmbhatt wrote:
Hi,
Opening the voting thread for KIP-11.
Link to the KIP:
+1
On Fri, May 15, 2015 at 04:18:49PM +, Parth Brahmbhatt wrote:
Hi,
Opening the voting thread for KIP-11.
Link to the KIP:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface
Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
Thanks
+1
~ Joe Stein
- - - - - - - - - - - - - - - - -
http://www.stealth.ly
- - - - - - - - - - - - - - - - -
On Fri, May 15, 2015 at 7:35 PM, Jun Rao j...@confluent.io wrote:
+1
Thanks,
Jun
On Fri, May 15, 2015 at 9:18 AM, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
Hi,
Hi,
Opening the voting thread for KIP-11.
Link to the KIP:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface
Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
Thanks
Parth
+1
Thanks,
Jun
On Fri, May 15, 2015 at 9:18 AM, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
Hi,
Opening the voting thread for KIP-11.
Link to the KIP:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface
Link to Jira:
+1 non-binding
On Fri, May 15, 2015 at 9:18 AM -0700, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
Hi,
Opening the voting thread for KIP-11.
Link to the KIP:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface
Link to Jira:
+1
-Jay
On Fri, May 15, 2015 at 9:18 AM, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
Hi,
Opening the voting thread for KIP-11.
Link to the KIP:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface
Link to Jira:
+1 non-binding
On 5/15/15, 11:43 AM, Gwen Shapira gshap...@cloudera.com wrote:
+1 non-binding
On Fri, May 15, 2015 at 9:12 PM, Harsha harsh...@fastmail.fm wrote:
+1 non-binding
On Fri, May 15, 2015 at 9:18 AM -0700, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
Hi,
+1 non-binding
On Fri, May 15, 2015 at 9:12 PM, Harsha harsh...@fastmail.fm wrote:
+1 non-binding
On Fri, May 15, 2015 at 9:18 AM -0700, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
Hi,
Opening the voting thread for KIP-11.
Link to the KIP:
+1 non-binding.
Tom Graves
On Friday, May 15, 2015 2:00 PM, Don Bosco Durai bo...@apache.org wrote:
+1 non-binding
On 5/15/15, 11:43 AM, Gwen Shapira gshap...@cloudera.com wrote:
+1 non-binding
On Fri, May 15, 2015 at 9:12 PM, Harsha harsh...@fastmail.fm wrote:
+1 non-binding
...@cloudera.commailto:gshap...@cloudera.com
Sent: Thursday, April 30, 2015 5:32 PM
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
To: dev@kafka.apache.orgmailto:dev@kafka.apache.org
On Thu, Apr 30, 2015 at 4:39 PM, Parth Brahmbhatt
pbrahmbh...@hortonworks.commailto:pbrahmbh
@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
While I see the advantage of being able to say something like: deny user
X from hosts h1...h200 also allow user X from host h189, there are two
issues here:
1. Complex rule systems can be difficult to reason about
design for kafka security
While I see the advantage of being able to say something like: deny user
X from hosts h1...h200 also allow user X from host h189, there are two
issues here:
1. Complex rule systems can be difficult to reason about and therefore
end
up being less secure
...@cloudera.com]
Sent: Tuesday, April 28, 2015 1:31 PM
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
While I see the advantage of being able to say something like: deny
user
X from hosts h1...h200 also allow user X from host h189
...@cloudera.com]
Sent: Tuesday, April 28, 2015 1:31 PM
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
While I see the advantage of being able to say something like: deny
user
X from hosts h1...h200 also allow user X from host h189
smoothly.
Regards
Dapeng
-Original Message-
From: Gwen Shapira [mailto:gshap...@cloudera.com]
Sent: Tuesday, April 28, 2015 1:31 PM
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
While I
Dapeng
-Original Message-
From: Gwen Shapira [mailto:gshap...@cloudera.com]
Sent: Tuesday, April 28, 2015 1:31 PM
To: dev@kafka.apache.org
Subject: Re [VOTE] KIP-11- Authorization design for kafka
security
While I see the advantage of being
:14 AM
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
To: dev@kafka.apache.orgmailto:dev@kafka.apache.org
* Regarding additional authorizers:
Prasad, who is a PMC on Apache Sentry reviewed the design and confirmed
Sentry can integrate with the current APIs. Dapeng Sun
: Gwen Shapira gshap...@cloudera.commailto:gshap...@cloudera.com
Sent: Thursday, April 30, 2015 10:14 AM
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
To: dev@kafka.apache.orgmailto:dev@kafka.apache.org
* Regarding additional authorizers:
Prasad, who is a PMC on Apache
://docs.aws.amazon.com/kinesis/latest/APIReference/CommonErrors.html
From: Gwen Shapira gshap...@cloudera.com
Sent: Thursday, April 30, 2015 6:05 PM
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
I think Kafka's behavior
...@cloudera.commailto:gshap...@cloudera.com
Sent: Thursday, April 30, 2015 5:32 PM
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
To: dev@kafka.apache.orgmailto:dev@kafka.apache.org
On Thu, Apr 30, 2015 at 4:39 PM, Parth Brahmbhatt
pbrahmbh...@hortonworks.commailto:pbrahmbh
Dapeng
-Original Message-
From: Gwen Shapira [mailto:gshap...@cloudera.com]
Sent: Tuesday, April 28, 2015 1:31 PM
To: dev@kafka.apache.org
Subject: Re [VOTE] KIP-11- Authorization design for kafka
security
While I see the advantage of being able to say something
_
From: Gwen Shapira gshap...@cloudera.commailto:gshap...@cloudera.com
Sent: Thursday, April 30, 2015 10:14 AM
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
To: dev@kafka.apache.orgmailto:dev@kafka.apache.org
* Regarding additional authorizers:
Prasad, who is a PMC on Apache
, 2015 4:12 PM
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
I kind of thought of the authorization module as something that happens in
handle(request: RequestChannel.Reuqest) in the request.requestId match
If the request doesn't do what it is allowed too
...@cloudera.com
Sent: Thursday, April 30, 2015 10:14 AM
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
To: dev@kafka.apache.orgmailto:dev@kafka.apache.org
* Regarding additional authorizers:
Prasad, who is a PMC on Apache Sentry reviewed the design and confirmed
Sentry can
, access etc.?
Regards,
Suresh
Sent from phone
_
From: Joe Stein joe.st...@stealth.lymailto:joe.st...@stealth.ly
Sent: Thursday, April 30, 2015 3:27 PM
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
To: dev@kafka.apache.orgmailto:dev
-impl/core/src/mai
n/scala/kafka/security/auth/SimpleAclAthorizer.scala) in debug mode.
Anybody who needs auditing could create a lo4j appender to allow debug
access to this class and send the log output to some audit fil.
Auditing is still a separate piece, we could either add an auditor
@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
While I see the advantage of being able to say something like: deny user X
from hosts h1...h200 also allow user X from host h189, there are two issues
here:
1. Complex rule systems can be difficult to reason about
Brahmbhatt
pbrahmbh...@hortonworks.commailto:
pbrahmbh...@hortonworks.com
,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for
kafka
security
Thanks for the explanations
design for
kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more
likely
to
accidentally give everyone access, especially since you
have
to
run
a
separate command to change the acls. If there was some
config
,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for
kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more
likely
to
accidentally
@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
A few more minor comments.
100. To make it clear, perhaps we should rename the resource group to
consumer-group. We can probably make the same change in CLI as well so
that it's not confused with user group.
101
Attach the image.
https://raw.githubusercontent.com/sundapeng/attachment/master/kafka-acl1.png
Regards
Dapeng
From: Sun, Dapeng [mailto:dapeng@intel.com]
Sent: Tuesday, April 28, 2015 11:44 AM
To: dev@kafka.apache.org
Subject: RE: [VOTE] KIP-11- Authorization design for kafka security
the image.
https://raw.githubusercontent.com/sundapeng/attachment/master/kafka-acl1.png
Regards
Dapeng
From: Sun, Dapeng [mailto:dapeng@intel.com]
Sent: Tuesday, April 28, 2015 11:44 AM
To: dev@kafka.apache.org
Subject: RE: [VOTE] KIP-11- Authorization design for kafka security
Thank you
...@hortonworks.com
,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely
meaning and make acl management easily.
Regards
Dapeng
-Original Message-
From: Jun Rao [mailto:j...@confluent.io]
Sent: Monday, April 27, 2015 5:02 AM
To: dev@kafka.apache.org
Subject: Re: [VOTE] KIP-11- Authorization design for kafka security
A few more minor comments.
100. To make
@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to
run
a
separate
] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to
run
a
separate command to change the acls. If there was some config
for
defaults
@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since
...@hortonworks.commailto:pbrahmbh...@hortonworks.com,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions
for kafka security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to run a
separate command to change the acls. If there was some config for
defaults, a cluster admin could change
pbrahmbh...@hortonworks.commailto:pbrahmbh...@hortonworks.com,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions
: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to run a
separate command to change the acls
@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to run a
separate
@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to run
a
separate command to change the acls
pbrahmbh...@hortonworks.commailto:pbrahmbh...@hortonworks.com,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to run
design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to run
a
separate command to change the acls. If there was some config for
defaults, a cluster admin
@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to
run
- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely
to
accidentally give everyone access, especially since you have
to
run
a
separate command to change the acls. If there was some config
for
defaults, a cluster
@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka
security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to
run
a
separate
Hey everyone,
Sorry to jump in on the conversation so late. I'm new to Kafka. I'll apologize
in advance if you have already covered some of my questions. I read through
the wiki and had some comments and questions.
1) public enum Operation needs EDIT changed to ALTER
2) Does the Authorizer
FYI, I have modified the KIP to include group as resource. In order to
access “joinGroup” and “commitOFfset” APIs the user will need a read
permission on topic and WRITE permission on group.
I plan to open a VOTE thread by noon if there are no more concerns.
Thanks
Parth
On 4/22/15, 9:03 AM,
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to accidentally
give everyone access, especially since you have to run a separate command to
change the acls. If there was some config for defaults, a cluster admin could
change that to be nobody or
@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to accidentally
give everyone access, especially since you have to run a separate command
.
ThanksParth
From: Tom Graves tgraves...@yahoo.com
Reply-To: Tom Graves tgraves...@yahoo.com
Date: Wednesday, April 22, 2015 at 11:02 AM
To: Parth Brahmbhatt pbrahmbh...@hortonworks.com, dev@kafka.apache.org
dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
To: Parth Brahmbhatt
pbrahmbh...@hortonworks.commailto:pbrahmbh...@hortonworks.com,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks for the explanations Parth.
On the configs
: Wednesday, April 22, 2015 at 11:02 AM
To: Parth Brahmbhatt
pbrahmbh...@hortonworks.commailto:pbrahmbh...@hortonworks.com,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks
- Authorization design for kafka security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to run a
separate command to change the acls. If there was some config for
defaults, a cluster
@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access
@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to
accidentally give everyone access, especially since you have to run
22, 2015 at 11:02 AM
To: Parth Brahmbhatt
pbrahmbh...@hortonworks.commailto:pbrahmbh...@hortonworks.com,
dev@kafka.apache.orgmailto:dev@kafka.apache.org
dev@kafka.apache.orgmailto:dev@kafka.apache.org
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks
:Re: [DISCUSS] KIP-11- Authorization design for kafka security
Parth,
This is a long thread, so trying to keep up here, sorry if this has been
covered before. First, great job on the KIP proposal and work so far.
Are we sure that we want to tie host level access to a given user? My
Harsha, Parth,
Thanks for the clarification. This makes sense. Perhaps we can clarify the
meaning of those rules in the wiki.
Related to this, it seems that we need to support wildcard in cli/request
protocol for topics?
Jun
On Mon, Apr 20, 2015 at 9:07 PM, Parth Brahmbhatt
Also, I think I may have missed this but does READ imply you also have
DESCRIBE? A reader will need access to both read offsets (to determine
their own initial position) as well as commit offsets. Currently, though
fetching offsets is under DESCRIBE only and commit offsets is under READ.
If
Changed Edit to Alter.
I did not think about it that way but Sriharsha raised the same point in a
private conversation. I did not think about it that way but I agree it
makes sense. If no one objects I think in default implementation we can
infer that if user have READ or WRITE access he gets
Hey Parth,
Great write-up!
One super minor thing: could we change the EDIT permission to be called
ALTER? The request name in KIP-4 is Alter and the command line tool has
always been alter (or we could go the other way and change those to EDIT).
Not sure that one is any better than the other but
Hey Jun,
Yes and we support wild cards for all acl entities principal, hosts and
operation.
Thanks
Parth
On 4/21/15, 9:06 AM, Jun Rao j...@confluent.io wrote:
Harsha, Parth,
Thanks for the clarification. This makes sense. Perhaps we can clarify the
meaning of those rules in the wiki.
Related
Following up on the KIP discussion. Two options for authorizing consumers
to read topic t as part of group g:
1. READ permission on resource /topic/t
2. READ permission on resource /topic/t AND WRITE permission on /group/g
The advantage of (1) is that it is simpler. The disadvantage is that any
Adding my notes from today's call to the thread:
** Deny or Allow all by default? We will add a configuration to
control this. The configuration will default to “allow” for backward
compatibility. Security admins can set it to deny
** Storing ACLs for default authorizers: We'll store them in ZK.
1 - 100 of 199 matches
Mail list logo
