[jira] [Comment Edited] (KAFKA-1688) Add authorization interface and naive implementation

[ https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14178799#comment-14178799 ] Don Bosco Durai edited comment on KAFKA-1688 at 10/21/14 6:33 PM

[jira] [Commented] (KAFKA-1688) Add authorization interface and naive implementation

[ https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14283104#comment-14283104 ] Don Bosco Durai commented on KAFKA-1688: [~charmalloc], can you help me create

[jira] [Commented] (KAFKA-1688) Add authorization interface and naive implementation

[ https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14283155#comment-14283155 ] Don Bosco Durai commented on KAFKA-1688: My id is bosco. I think I might already

[jira] [Commented] (KAFKA-1722) static analysis code coverage for pci audit needs

[ https://issues.apache.org/jira/browse/KAFKA-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14282002#comment-14282002 ] Don Bosco Durai commented on KAFKA-1722: There few things to note here

[jira] [Commented] (KAFKA-1722) static analysis code coverage for pci audit needs

[ https://issues.apache.org/jira/browse/KAFKA-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14281981#comment-14281981 ] Don Bosco Durai commented on KAFKA-1722: Ashish, Coverity is another option

[jira] [Commented] (KAFKA-1722) static analysis code coverage for pci audit needs

[ https://issues.apache.org/jira/browse/KAFKA-1722?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14281992#comment-14281992 ] Don Bosco Durai commented on KAFKA-1722: coverall also seems to be good. It says

Re: Review Request 28769: Patch for KAFKA-1809

+1 I also feel, having security.* would be easy going forward. Thanks Bosco On 1/29/15, 6:08 AM, Jeff Holoman jeff.holo...@gmail.com wrote: On Jan. 23, 2015, 1:57 a.m., Jun Rao wrote: core/src/main/scala/kafka/server/KafkaConfig.scala, lines 182-183

Re: [DISCUSS] KIP-11- Authorization design for kafka security

Parth Overall it is looking good. Couple of questionsŠ - Can you give an example how the policies will look like in the default implementation? - In the operations, can we support ³CONNECT² also? This can be used during Session connection - Regarding access control for ³Topic Creation², since we

[jira] [Commented] (KAFKA-1688) Add authorization interface and naive implementation

[ https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14378100#comment-14378100 ] Don Bosco Durai commented on KAFKA-1688: [~prasadm], I agree with you, we should

Re: [DISCUSS] KIP-11- Authorization design for kafka security

to READ R from all hosts *except* H1. 2. When a topic is newly created, will there be an ACL created for it? If not, would that not deny subsequent access to it? (nit) Maybe use Principal instead of String to represent principals? On 3/9/15, 11:48 AM, Don Bosco Durai bo

Re: [DISCUSS] KIP-11- Authorization design for kafka security

interesting question: Since a broker is a consumer (of lead replicas), how do we handle the broker level of permissions? Do we hardcode a broker-principal name and automatically authorize brokers to do anything? Or is there a cleaner way? On Tue, Mar 31, 2015 at 10:17 AM, Don Bosco Durai bo

Re: [VOTE] KIP-11- Authorization design for kafka security

unit tests. * I don’t know if I completely understand the concern. We have talked with Ranger team (Don Bosco Durai) so we at least have one custom authorizer implementation that has approved this design and they will be able to inject their authorization framework with current interfaces

Re: [VOTE] KIP-11- Authorization design for kafka security

which I guess is the reason for no existing unit tests. Can you update the KIP with some more detail about that please. Parth I don’t know if I completely understand the concern. We have talked with Ranger team (Don Bosco Durai) so we at least have one custom authorizer implementation

Re: [Vote] KIP-11 Authorization design for kafka security

+1 non-binding On 5/15/15, 11:43 AM, Gwen Shapira gshap...@cloudera.com wrote: +1 non-binding On Fri, May 15, 2015 at 9:12 PM, Harsha harsh...@fastmail.fm wrote: +1 non-binding On Fri, May 15, 2015 at 9:18 AM -0700, Parth Brahmbhatt pbrahmbh...@hortonworks.com wrote: Hi,

Re: [DISCUSSION] KIP-11: ACL Management

Jun Here is the recent interface from Hive. It is grossly simplified from what you pasted before. https://hive.apache.org/javadocs/r1.0.0/api/ql/org/apache/hadoop/hive/ql/se curity/authorization/plugin/HiveAuthorizer.html At the high level, there is only one authorization method (similar to

Re: [DISCUSS] KIP-11- Authorization design for kafka security

access to it? (nit) Maybe use Principal instead of String to represent principals? On 3/9/15, 11:48 AM, Don Bosco Durai bo...@apache.org wrote: Parth Overall it is looking good. Couple of questionsŠ - Can you give an example how the policies will look like in the default implementation

Re: [KIP-DISCUSSION] KIP-13 Quotas

Gwen I feel, we should assume the metrics server is an external system and the access to the server should be managed by the security features provided by the system. This way, it would be the Kafka System Administrator responsibility to ensure the metrics system is properly firewall¹ed or access

Re: Gauging Interest in adding Encryption to Kafka

, 2015 at 10:10 AM, Don Bosco Durai bo...@apache.org wrote: Any reason you think its better to let the clients handle it? Gwen, I agree with Todd, depending on the goal, the requirements might vary. If the goal is that someone stills the disk, then they should be able to access the data

Re: Authorization Engine For Kafka Related to KPI-11

Bhavesh I am from the Apache Ranger team, so let me answer the questions pertaining to Ranger… > 1) Is there any performance impact with Brokers/Producer/Consumer while using > Apache Ranger ? As such Ranger overhead is negligible. Specifically for Kafka, we did some more optimization for the

Re: [DISCUSS] KIP-50 - Enhance Authorizer interface to be aware of supported Principal Types

Hi Ashish If we are going by option #2, then I can suggest we give an abstract implementation of the Interface and recommend anyone implementing their own plugin to extend from the abstract class, rather than implement the interface? The advantage is, in the future if we add add any new

Re: [DISCUSS] KIP-50 - Enhance Authorizer interface to be aware of supported Principal Types

t be Ok with you folks? > >On Thursday, April 7, 2016, Don Bosco Durai <bo...@apache.org> wrote: > >> Ranger team would prefer option #2. Right now, we have to access some of >> the nested constants using constructs like Group$.MODULE$, which is not >> intuitive in Java. >

Re: [DISCUSS] KIP-50 - Enhance Authorizer interface to be aware of supported Principal Types

h future (probably no later than the >> Java 9 release). >> >> Ismael >> >> On Thu, Apr 7, 2016 at 11:36 PM, Don Bosco Durai <bo...@apache.org> wrote: >> >> > Hi Ashish >> > >> > If we are going by option #2, then I can sugges

Re: [VOTE] KIP-50: Move Authorizer to o.a.k.common package - Round 2

+1 (non binding) On 4/28/16, 7:47 AM, "Jun Rao" wrote: >Ashish, > >Thanks for the proposal. +1 > >Jun > >On Mon, Apr 25, 2016 at 10:04 AM, Ashish Singh wrote: > >> Hey Guys, >> >> I would like to re-initiate the voting process for KIP-50: Move

Re: [DISCUSS] Client Side Auto Topic Creation

Jun, my understanding is, currently if ACLs are enabled, then auto topic creation is disabled. Is this going to change with this requirement? Thanks Bosco On 7/11/16, 1:14 PM, "Jun Rao" wrote: Ismael, We could change the existing behavior if it's bad for most of the

Re: [DISCUSS] Client Side Auto Topic Creation

on, Jul 11, 2016 at 6:26 PM, Don Bosco Durai <bo...@apache.org> wrote: > Jun, my understanding is, currently if ACLs are enabled, then auto topic > creation is disabled. Is this going to change with this requirement? > > Thanks > > Bosco >

Re: [DISCUSS] KIP-189: Improve principal builder interface and add support for SASL

Jason Do you anticipate any backward compatibility issues with existing custom implementation of the authorization interface/plugins? Thanks Bosco On 8/25/17, 3:22 PM, "Jason Gustafson" wrote: No problem. I'll add a note to the KIP to emphasize that we will use the

Re: [DISCUSS] KIP-189: Improve principal builder interface and add support for SASL

On Fri, Aug 25, 2017 at 4:37 PM, Don Bosco Durai <bo...@apache.org> wrote: > Jason, thanks for confirming that. Since there are existing custom > plugins, we might have to give enough time for them to start using the > newer interface. > > I quickly glan

Re: [DISCUSS] KIP-189: Improve principal builder interface and add support for SASL

e it in a future major release. -Jason On Fri, Aug 25, 2017 at 3:51 PM, Don Bosco Durai <bo...@apache.org> wrote: > Jason > > Do you anticipate any backward compatibility issues with existing custom > implementation of the authorization int

Re: [DISCUSS] KIP-433: Provide client API version to authorizer

In general, making authorization decision based on client version might not be a good idea. It will just provide a loop hole for someone to downgrade their client version to exploit or workaround any restrictions. > > propose a single broker dynamic configuration: client.min.api.version, to >

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

; mode` >> > > > > > > and `count` have come up multiple times, I have renamed both. >> > > > > > > >> > > > > > > 1) Renamed `count` to `resourceReferenceCount`. It is the >> number >&g

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

in Kafka, there is no value in making the load asynchronous. Regards, Rajini On Fri, Aug 16, 2019 at 6:43 PM Don Bosco Durai wrote: > Hi Rajini > > Assuming this doesn't affect custom plugins, I don't have any concerns > regarding this.

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

ation mode, operation etc. On Thu, Aug 8, 2019 at 11:36 PM Don Bosco Durai wrote: > Hi Rajini > > Thanks for clarifying. This is very helpful... > > #1 - On the Ranger side, we should be able to handle multiple requests at > the same time.

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

questContext, List aclBindingFilters); CompletionStage> acls(AclBindingFilter filter); } Thank you, Rajini On Sun, Aug 18, 2019 at 6:25 PM Don Bosco Durai wrote: > Hi Rajini > > Thanks for clarifying. I am good for now.

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

ale. Even though this is a big change, since we will be doing the same > for all requests, it shouldn't be too hard to maintain since the same > pattern will be used for all requests. > > Regards, > > Rajini > > On Tue, Sep 3, 2019 at 11

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

> Rajini > > > On Fri, Sep 6, 2019 at 5:32 PM Don Bosco Durai wrote: > > > +1 > > > > I might be wrong here, but here are few of my assumptions.. > > > > 1. Unlike transactional services, in Kafka most of the users are

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

onal >> threads or >> > > > > purgatory will be used for this case. So there would be no >> > performance >> > > > > penalty. For implementations that return a future that is not >> >

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

Rajini Thanks for putting this together. It is looking good. I have few questions... 1. List authorize(..., List actions). Do you see a scenario where the broker will call authorize for multiple topics at the same time? I can understand that during creating/deleting ACLS, multiple permissions

Re: [DISCUSS] KIP-504 - Add new Java Authorizer Interface

e method 10 times. The proposal is to invoke it once with count=10. The count is provided to authorizer just for audit logging purposes. 5. Authorizer implements Closeable, so you could use close() to flush audits? On Thu, Aug 8, 2019 at 7:01 AM Don Bosco Durai wrote: >