[
https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14178799#comment-14178799
]
Don Bosco Durai edited comment on KAFKA-1688 at 10/21/14 6:33 PM
[
https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14283104#comment-14283104
]
Don Bosco Durai commented on KAFKA-1688:
[~charmalloc], can you help me create
[
https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14283155#comment-14283155
]
Don Bosco Durai commented on KAFKA-1688:
My id is bosco. I think I might already
[
https://issues.apache.org/jira/browse/KAFKA-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14282002#comment-14282002
]
Don Bosco Durai commented on KAFKA-1722:
There few things to note here
[
https://issues.apache.org/jira/browse/KAFKA-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14281981#comment-14281981
]
Don Bosco Durai commented on KAFKA-1722:
Ashish, Coverity is another option
[
https://issues.apache.org/jira/browse/KAFKA-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14281992#comment-14281992
]
Don Bosco Durai commented on KAFKA-1722:
coverall also seems to be good. It says
+1
I also feel, having security.* would be easy going forward.
Thanks
Bosco
On 1/29/15, 6:08 AM, Jeff Holoman jeff.holo...@gmail.com wrote:
On Jan. 23, 2015, 1:57 a.m., Jun Rao wrote:
core/src/main/scala/kafka/server/KafkaConfig.scala, lines 182-183
Parth
Overall it is looking good. Couple of questions
- Can you give an example how the policies will look like in the default
implementation?
- In the operations, can we support ³CONNECT² also? This can be used
during Session connection
- Regarding access control for ³Topic Creation², since we
[
https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14378100#comment-14378100
]
Don Bosco Durai commented on KAFKA-1688:
[~prasadm],
I agree with you, we should
to
READ R from all hosts *except* H1.
2. When a topic is newly created, will there be an ACL created for it?
If
not, would that not deny subsequent access to it?
(nit) Maybe use Principal instead of String to represent principals?
On 3/9/15, 11:48 AM, Don Bosco Durai bo
interesting question:
Since a broker is a consumer (of lead replicas), how do we handle the
broker level of permissions? Do we hardcode a broker-principal name
and automatically authorize brokers to do anything? Or is there a
cleaner way?
On Tue, Mar 31, 2015 at 10:17 AM, Don Bosco Durai bo
unit tests.
* I don’t know if I completely understand the concern. We have talked
with
Ranger team (Don Bosco Durai) so we at least have one custom
authorizer
implementation that has approved this design and they will be able to
inject their authorization framework with current interfaces
which I
guess is the reason for no existing unit tests.
Can you update the KIP with some more detail about that please.
Parth I don’t know if I completely understand the concern. We have
talked with Ranger team (Don Bosco Durai) so we at least have one custom
authorizer implementation
+1 non-binding
On 5/15/15, 11:43 AM, Gwen Shapira gshap...@cloudera.com wrote:
+1 non-binding
On Fri, May 15, 2015 at 9:12 PM, Harsha harsh...@fastmail.fm wrote:
+1 non-binding
On Fri, May 15, 2015 at 9:18 AM -0700, Parth Brahmbhatt
pbrahmbh...@hortonworks.com wrote:
Hi,
Jun
Here is the recent interface from Hive. It is grossly simplified from what
you pasted before.
https://hive.apache.org/javadocs/r1.0.0/api/ql/org/apache/hadoop/hive/ql/se
curity/authorization/plugin/HiveAuthorizer.html
At the high level, there is only one authorization method (similar to
access to it?
(nit) Maybe use Principal instead of String to represent principals?
On 3/9/15, 11:48 AM, Don Bosco Durai bo...@apache.org wrote:
Parth
Overall it is looking good. Couple of questionsŠ
- Can you give an example how the policies will look like in the
default
implementation
Gwen
I feel, we should assume the metrics server is an external system and the
access to the server should be managed by the security features provided
by the system. This way, it would be the Kafka System Administrator
responsibility to ensure the metrics system is properly firewall¹ed or
access
, 2015 at 10:10 AM, Don Bosco Durai bo...@apache.org
wrote:
Any reason you think its better to let the clients handle it?
Gwen, I agree with Todd, depending on the goal, the requirements might
vary. If the goal is that someone stills the disk, then they should be
able to access the data
Bhavesh
I am from the Apache Ranger team, so let me answer the questions pertaining to
Ranger…
> 1) Is there any performance impact with Brokers/Producer/Consumer while using
> Apache Ranger ?
As such Ranger overhead is negligible. Specifically for Kafka, we did some more
optimization for the
Hi Ashish
If we are going by option #2, then I can suggest we give an abstract
implementation of the Interface and recommend anyone implementing their own
plugin to extend from the abstract class, rather than implement the interface?
The advantage is, in the future if we add add any new
t be Ok with you folks?
>
>On Thursday, April 7, 2016, Don Bosco Durai <bo...@apache.org> wrote:
>
>> Ranger team would prefer option #2. Right now, we have to access some of
>> the nested constants using constructs like Group$.MODULE$, which is not
>> intuitive in Java.
>
h future (probably no later than the
>> Java 9 release).
>>
>> Ismael
>>
>> On Thu, Apr 7, 2016 at 11:36 PM, Don Bosco Durai <bo...@apache.org> wrote:
>>
>> > Hi Ashish
>> >
>> > If we are going by option #2, then I can sugges
+1 (non binding)
On 4/28/16, 7:47 AM, "Jun Rao" wrote:
>Ashish,
>
>Thanks for the proposal. +1
>
>Jun
>
>On Mon, Apr 25, 2016 at 10:04 AM, Ashish Singh wrote:
>
>> Hey Guys,
>>
>> I would like to re-initiate the voting process for KIP-50: Move
Jun, my understanding is, currently if ACLs are enabled, then auto topic
creation is disabled. Is this going to change with this requirement?
Thanks
Bosco
On 7/11/16, 1:14 PM, "Jun Rao" wrote:
Ismael,
We could change the existing behavior if it's bad for most of the
on, Jul 11, 2016 at 6:26 PM, Don Bosco Durai <bo...@apache.org> wrote:
> Jun, my understanding is, currently if ACLs are enabled, then auto topic
> creation is disabled. Is this going to change with this requirement?
>
> Thanks
>
> Bosco
>
Jason
Do you anticipate any backward compatibility issues with existing custom
implementation of the authorization interface/plugins?
Thanks
Bosco
On 8/25/17, 3:22 PM, "Jason Gustafson" wrote:
No problem. I'll add a note to the KIP to emphasize that we will use the
On Fri, Aug 25, 2017 at 4:37 PM, Don Bosco Durai <bo...@apache.org> wrote:
> Jason, thanks for confirming that. Since there are existing custom
> plugins, we might have to give enough time for them to start using the
> newer interface.
>
> I quickly glan
e it in a future major release.
-Jason
On Fri, Aug 25, 2017 at 3:51 PM, Don Bosco Durai <bo...@apache.org> wrote:
> Jason
>
> Do you anticipate any backward compatibility issues with existing custom
> implementation of the authorization int
In general, making authorization decision based on client version might not be
a good idea. It will just provide a loop hole for someone to downgrade their
client version to exploit or workaround any restrictions.
> > propose a single broker dynamic configuration: client.min.api.version, to
>
; mode`
>> > > > > > > and `count` have come up multiple times, I have renamed both.
>> > > > > > >
>> > > > > > > 1) Renamed `count` to `resourceReferenceCount`. It is the
>> number
>&g
in Kafka, there is no value in making the load asynchronous.
Regards,
Rajini
On Fri, Aug 16, 2019 at 6:43 PM Don Bosco Durai wrote:
> Hi Rajini
>
> Assuming this doesn't affect custom plugins, I don't have any concerns
> regarding this.
ation mode, operation etc.
On Thu, Aug 8, 2019 at 11:36 PM Don Bosco Durai wrote:
> Hi Rajini
>
> Thanks for clarifying. This is very helpful...
>
> #1 - On the Ranger side, we should be able to handle multiple requests at
> the same time.
questContext,
List aclBindingFilters);
CompletionStage> acls(AclBindingFilter filter);
}
Thank you,
Rajini
On Sun, Aug 18, 2019 at 6:25 PM Don Bosco Durai wrote:
> Hi Rajini
>
> Thanks for clarifying. I am good for now.
ale. Even though this is a big change, since we will be doing the same
> for all requests, it shouldn't be too hard to maintain since the same
> pattern will be used for all requests.
>
> Regards,
>
> Rajini
>
> On Tue, Sep 3, 2019 at 11
> Rajini
>
>
> On Fri, Sep 6, 2019 at 5:32 PM Don Bosco Durai wrote:
>
> > +1
> >
> > I might be wrong here, but here are few of my assumptions..
> >
> > 1. Unlike transactional services, in Kafka most of the users are
onal
>> threads or
>> > > > > purgatory will be used for this case. So there would be no
>> > performance
>> > > > > penalty. For implementations that return a future that is not
>> >
Rajini
Thanks for putting this together. It is looking good. I have few questions...
1. List authorize(..., List actions). Do you see
a scenario where the broker will call authorize for multiple topics at the same
time? I can understand that during creating/deleting ACLS, multiple permissions
e method 10
times. The proposal is to invoke it once with count=10. The count is
provided to authorizer just for audit logging purposes.
5. Authorizer implements Closeable, so you could use close() to flush
audits?
On Thu, Aug 8, 2019 at 7:01 AM Don Bosco Durai wrote:
>
38 matches
Mail list logo