Re: Review Request 33620: Patch for KAFKA-1690

, this interface models how that abstraction relates to other abstrations with similar-sounding (to me, at least) names. - Michael Herstine On June 23, 2015, 8:18 p.m., Sriharsha Chintalapani wrote: --- This is an automatically generated e

Re: Review Request 33620: Patch for KAFKA-1690

- Michael --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/33620/#review83993 --- On May 21, 2015, 5:37 p.m., Sriharsha Chintalapani

Re: Review Request 33620: Patch for KAFKA-1690

On May 15, 2015, 10:54 p.m., Joel Koshy wrote: clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java, line 153 https://reviews.apache.org/r/33620/diff/5/?file=957065#file957065line153 I think Michael meant the following which I think is valid right?

Re: Review Request 33620: Patch for KAFKA-1690

On May 22, 2015, 12:14 a.m., Michael Herstine wrote: clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java, line 44 https://reviews.apache.org/r/33620/diff/8/?file=966813#file966813line44 I'm trying to imagine implementing `buildPrincipal

Re: Review Request 33620: Patch for KAFKA-1690

is quite complex. - Michael Herstine On May 15, 2015, 2:18 p.m., Sriharsha Chintalapani wrote: --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/33620

Re: KIP Hangout notes

Regarding the SSL code‹ is there an RB available? I don¹t see a recent patch uploaded to https://issues.apache.org/jira/browse/KAFKA-1684Š How can other folks see the code? On 5/12/15, 12:07 PM, Gwen Shapira gshap...@cloudera.com wrote: My notes from the hangout: * KIP-11: Based on feedback

Re: [DISCUSS] KIP-11- Authorization design for kafka security

in Authorizer. One thing to note the current ACL json is versioned so it is easy to make changes to it however it won’t be possible to support custom ACL formats with the current design. Thanks Parth On 4/15/15, 4:29 PM, Michael Herstine mherst...@linkedin.com.INVALID wrote: Hi Parth, I’m a little

Re: [DISCUSS] KIP-11- Authorization design for kafka security

be possible to support custom ACL formats with the current design. Thanks Parth On 4/15/15, 4:29 PM, Michael Herstine mherst...@linkedin.com.INVALID wrote: Hi Parth, I’m a little confused: why would Kafka need to interpret the JSON? IIRC KIP-11 even says that the TopicConfigData will just store

Re: [DISCUSS] KIP-11- Authorization design for kafka security

in out of box implementation. Thanks Parth On 4/15/15, 10:31 AM, Michael Herstine mherst...@linkedin.com.INVALIDmailto:mherst...@linkedin.com.INVALID wrote: Hi Parth, One question that occurred to me at the end of today’s hangout: how tied are we to a particular ACL representation under your

Re: [DISCUSS] KIP-11- Authorization design for kafka security

/18/15, 2:20 PM, Michael Herstine mherst...@linkedin.com.INVALID wrote: Hi Parth, Thanks! A few questions: 1. Do you want to permit rules in your ACLs that DENY access as well as ALLOW? This can be handy setting up rules that have exceptions. E.g. “Allow principal P to READ resource R from all

Re: KIP discussion Apr 15 at 9:30 am PST

Hi Jun, Michael from Security Infrastructure at LinkedIn‹ I¹d be interested in joining. Could you send me the invite? On 4/10/15, 3:01 PM, Jun Rao j...@confluent.io wrote: We plan to have a KIP discussion on Google hangout on Apr. 15 at 9:30am PST. This is moved to a different time on Wed due

Re: [DISCUSS] KIP-11- Authorization design for kafka security

Hi Parth, Thanks! A few questions: 1. Do you want to permit rules in your ACLs that DENY access as well as ALLOW? This can be handy setting up rules that have exceptions. E.g. “Allow principal P to READ resource R from all hosts” with “Deny principal P READ access to resource R from host H1” in

Re: Review Request 31958: Patch for KAFKA-1684

will update them if there's an incomplete packet (i.e. in the BUFFER_UNDERFLOW case). Just a few questions on some corner cases... handling all the possibilities when handshaking over NIO is really tough. - Michael Herstine On March 11, 2015, 9:36 p.m., Sriharsha Chintalapani wrote

[jira] [Commented] (KAFKA-1684) Implement TLS/SSL authentication

[ https://issues.apache.org/jira/browse/KAFKA-1684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14212515#comment-14212515 ] Michael Herstine commented on KAFKA-1684: - Coming in a little late

[jira] [Commented] (KAFKA-1684) Implement TLS/SSL authentication

[ https://issues.apache.org/jira/browse/KAFKA-1684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14199087#comment-14199087 ] Michael Herstine commented on KAFKA-1684: - Hi Ivan, Thanks-- adding SSL support

[jira] [Commented] (KAFKA-1688) Add authorization interface and naive implementation

[ https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14183061#comment-14183061 ] Michael Herstine commented on KAFKA-1688: - Apologies-- yes, I should have said

Re: Security JIRAS

Thanks, Jay. I¹m new to the project, and I¹m wondering how things proceed from hereŠ are folks working on these tasks, or do they get assigned, orŠ? On 10/7/14, 5:15 PM, Jay Kreps jay.kr...@gmail.com wrote: Hey guys, As promised, I added a tree of JIRAs for the stuff in the security wiki (

Re: Two open issues on Kafka security

Regarding question #1, I’m not sure I follow you, Joe: you’re proposing (I think) that the API take a byte[], but what will be in that array? A serialized certificate if the client authenticated via SSL and the principal name (perhaps normalized) if the client authenticated via Kerberos?