Hi Harsha The reason we rejected the SslProvider route is that - we only needed a custom way to load keys/certs. Not touch any policy that existing Providers govern like SunJSSE Provider.
The ask here is different than KIP-492. We don't have any need to modify/specify the algorithm parameter. Does that make sense? Thanks Maulin On Thu, Aug 8, 2019 at 7:48 AM Harsha Chintalapani <ka...@harsha.io> wrote: > In your KIP you added security. provider as rejected alternative and > specified "its not the correct way". Do you mind explaining why its not? I > didn't find any evidence in Java docs to say so. Contrary to your statement > it does say in the java docs > " However, please note that a provider can be used to implement any > security service in Java that uses a pluggable architecture with a choice > of implementations that fit underneath." > > Java Security Providers have been used by other projects to provide such > integration . I am not sure if you looked into Spiffe project to > efficiently distribute certificates but here is an example of Java provider > > https://github.com/spiffe/spiffe-example/blob/master/java-spiffe/spiffe-security-provider/src/main/java/spiffe/api/provider/SpiffeProvider.java > which > obtains certificates from local daemons. > These integrations are being used in Tomcat, Jetty etc.. We are also using > Security provider to do the same in our Kafka clusters. So unless I see > more evidence why security.provider doesn't work for you > adding new interfaces while there exists more cleaner way of achieving the > goals of this KIP is unnecessary and breaks the well known security > interfaces provided by Java itself. > > Thanks, > Harsha > > > On Thu, Aug 08, 2019 at 6:54 AM, Harsha Chintalapani <ka...@harsha.io> > wrote: > > > Hi Maulin, > > Not sure if you looked at my previous replies. This > changes > > are not required as there is already security Provider to do what you are > > proposing. This KIP https://cwiki.apache.org/confluence/display/KAFKA/ > > KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config also > > addresses easy registration of such providers. > > > > Thanks, > > Harsha > > > > > > On Wed, Aug 07, 2019 at 11:31 PM, Maulin Vasavada <maulin.vasavada@gmail. > > com> wrote: > > > > Bump! Can somebody please review this? > > > > On Tue, Jul 16, 2019 at 1:51 PM Maulin Vasavada < > maulin.vasav...@gmail.com> > > wrote: > > > > Bump! Can somebody please review this? > > > > >
