[jira] [Commented] (KAFKA-3186) KIP-50: Move Authorizer and related classes to separate package.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16183945#comment-16183945 ] Ismael Juma commented on KAFKA-3186: KIP-50 was never merged [~guozhang]. > KIP-50: Move Authorizer and related classes to separate package. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Affects Versions: 0.9.0.0 >Reporter: Ashish Singh >Assignee: Ashish Singh > > [KIP-50|https://cwiki.apache.org/confluence/display/KAFKA/KIP-50+-+Move+Authorizer+to+a+separate+package] > has more details. > Kafka supports pluggable authorization. Third party authorizer > implementations allow existing authorization systems like, Apache Sentry, > Apache Ranger, etc to extend authorization to Kafka as well. Implementing > Kafka's authorizer interface requires depending on kafka's core, which is > huge. This has been already raised as a concern by Sentry, Ranger and Kafka > community. Even Kafka clients require duplication of authorization related > classes, like Resource, Operation, etc, for adding ACLs CRUD APIs. > Kafka authorizer is agnostic of principal types it supports, so are the acls > CRUD methods in Authorizer interface. The intent behind is to keep Kafka > principal types pluggable, which is really great. However, this leads to Acls > CRUD methods not performing any check on validity of acls, as they are not > aware of what principal types Authorizer implementation supports. This opens > up space for lots of user errors, KAFKA-3097 is an instance. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Commented] (KAFKA-3186) KIP-50: Move Authorizer and related classes to separate package.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16177495#comment-16177495 ] Guozhang Wang commented on KAFKA-3186: -- I saw that KIP-50 has been merged to in 0.10.1.0, which information is true? cc [~ijuma] > KIP-50: Move Authorizer and related classes to separate package. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Affects Versions: 0.9.0.0 >Reporter: Ashish Singh >Assignee: Ashish Singh > Fix For: 1.0.0 > > > [KIP-50|https://cwiki.apache.org/confluence/display/KAFKA/KIP-50+-+Move+Authorizer+to+a+separate+package] > has more details. > Kafka supports pluggable authorization. Third party authorizer > implementations allow existing authorization systems like, Apache Sentry, > Apache Ranger, etc to extend authorization to Kafka as well. Implementing > Kafka's authorizer interface requires depending on kafka's core, which is > huge. This has been already raised as a concern by Sentry, Ranger and Kafka > community. Even Kafka clients require duplication of authorization related > classes, like Resource, Operation, etc, for adding ACLs CRUD APIs. > Kafka authorizer is agnostic of principal types it supports, so are the acls > CRUD methods in Authorizer interface. The intent behind is to keep Kafka > principal types pluggable, which is really great. However, this leads to Acls > CRUD methods not performing any check on validity of acls, as they are not > aware of what principal types Authorizer implementation supports. This opens > up space for lots of user errors, KAFKA-3097 is an instance. -- This message was sent by Atlassian JIRA (v6.4.14#64029)
