Re: [DISCUSS] KIP-515: Enable ZK client to use the new TLS supported authentication

Zhou, Thomas Fri, 10 Jan 2020 15:50:35 -0800

Hi Pere,

It is a very meaningful KIP to make kafka broker -> ZK connection secured.
In the meanwhile, there is another KIP under discussion talking about making 
SSLContext pluggle on broker side - 
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=128650952. 
Instead of putting credentials on file, this can load credentials in a custom 
way into cache.
I think for Zookeeper this feature can also be valid. 
Could you please kindly take a look at that KIP and take the idea into 
consideration?


Thanks,
Thomas

On 9/2/19, 5:23 AM, "Pere Urbón Bayes" <pere.ur...@gmail.com> wrote:

    Thanks for your time Harsha,
       anyone else with comments? looking forward to hearing from you.
    
    Stupid question: when do you move from discussion to vote?
    
    Missatge de Harsha Chintalapani <ka...@harsha.io> del dia dv., 30 d’ag.
    2019 a les 21:59:
    
    > Thanks Pere. KIP looks good to me.
    > -Harsha
    >
    >
    > On Fri, Aug 30, 2019 at 10:05 AM, Pere Urbón Bayes <pere.ur...@gmail.com>
    > wrote:
    >
    >> Not really,
    >>   my idea is to keep the JAAS parameter, so people don't see major
    >> changes. But if you pass a properties file, then this takes precedence 
over
    >> the other, with the idea that you can do sasl as well with the properties
    >> files.
    >>
    >> Makes sense?
    >>
    >> -- Pere
    >>
    >> Missatge de Harsha Chintalapani <ka...@harsha.io> del dia dv., 30 d’ag.
    >> 2019 a les 19:00:
    >>
    >>> Hi Pere,
    >>>           Thanks for the KIP. Enabling SSL for zookeeper for Kafka makes
    >>> sense.
    >>> "The changes are planned to be introduced in a compatible way, by
    >>> keeping the current JAAS variable precedence."
    >>> Can you elaborate a bit here. If the user configures a JAAS file with
    >>> Client section it will take precedence over zookeeper SSL configs?
    >>>
    >>> Thanks,
    >>> Harsha
    >>>
    >>>
    >>>
    >>> On Fri, Aug 30, 2019 at 7:50 AM, Pere Urbón Bayes <pere.ur...@gmail.com>
    >>> wrote:
    >>>
    >>>> Hi,
    >>>> quick question, I saw in another mail that 2.4 release is planned for
    >>>> September. I think it would be really awesome to have this for this
    >>>> release, do you think we can make it?
    >>>>
    >>>> -- Pere
    >>>>
    >>>> Missatge de Pere Urbón Bayes <pere.ur...@gmail.com> del dia dj., 29
    >>>> d’ag. 2019 a les 20:10:
    >>>>
    >>>> Hi,
    >>>> this is my first KIP for a change in Apache Kafka, so I'm really need
    >>>> to the process. Looking forward to hearing from you and learn the best
    >>>> ropes here.
    >>>>
    >>>> I would like to propose this KIP-515 to enable the ZookeeperClients to
    >>>> take full advantage of the TLS communication in the new Zookeeper 
3.5.5.
    >>>> Specially interesting it the Zookeeper Security Migration, that without
    >>>> this change will not work with TLS, disabling users to use ACLs when 
the
    >>>> Zookeeper cluster use TLS.
    >>>>
    >>>> link:
    >>>>
    >>>> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FKAFKA%2FKIP-515%253A%2BEnable%2BZK%2Bclient%2Bto%2Buse%2Bthe%2Bnew%2BTLS%2Bsupported%2Bauthentication&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=PrNRY3teOpZ4cvmI%2FIGofhZhOs5lb2b7b5Hif9jTYH0%3D&amp;reserved=0
    >>>>
    >>>> Looking forward to hearing from you on this,
    >>>>
    >>>> /cheers
    >>>>
    >>>> --
    >>>> Pere Urbon-Bayes
    >>>> Software Architect
    >>>> 
https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.purbon.com&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=tXdEiq2%2BeivI2Xo9a3r2c6v9LRK4eXp6sFovEzZ7NEY%3D&amp;reserved=0
    >>>> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fpurbon&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=hht3hwCEu0kS4feTn58HO36Rw2rgF7wSrfn8VRyzzU4%3D&amp;reserved=0
    >>>> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpurbon%2F&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=XOPFUsKlAT7TxfF%2Ff%2BAKdN1r4lFg5reE8%2F7mbvWq5UI%3D&amp;reserved=0
    >>>>
    >>>> --
    >>>> Pere Urbon-Bayes
    >>>> Software Architect
    >>>> 
https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.purbon.com&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=tXdEiq2%2BeivI2Xo9a3r2c6v9LRK4eXp6sFovEzZ7NEY%3D&amp;reserved=0
    >>>> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fpurbon&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=hht3hwCEu0kS4feTn58HO36Rw2rgF7wSrfn8VRyzzU4%3D&amp;reserved=0
    >>>> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpurbon%2F&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=XOPFUsKlAT7TxfF%2Ff%2BAKdN1r4lFg5reE8%2F7mbvWq5UI%3D&amp;reserved=0
    >>>>
    >>>
    >>>
    >>
    >> --
    >> Pere Urbon-Bayes
    >> Software Architect
    >> 
https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.purbon.com&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=tXdEiq2%2BeivI2Xo9a3r2c6v9LRK4eXp6sFovEzZ7NEY%3D&amp;reserved=0
    >> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fpurbon&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=hht3hwCEu0kS4feTn58HO36Rw2rgF7wSrfn8VRyzzU4%3D&amp;reserved=0
    >> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpurbon%2F&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=XOPFUsKlAT7TxfF%2Ff%2BAKdN1r4lFg5reE8%2F7mbvWq5UI%3D&amp;reserved=0
    >>
    >
    >
    
    -- 
    Pere Urbon-Bayes
    Software Architect
    
https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.purbon.com&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=tXdEiq2%2BeivI2Xo9a3r2c6v9LRK4eXp6sFovEzZ7NEY%3D&amp;reserved=0
    
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fpurbon&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=hht3hwCEu0kS4feTn58HO36Rw2rgF7wSrfn8VRyzzU4%3D&amp;reserved=0
    
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpurbon%2F&amp;data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&amp;sdata=XOPFUsKlAT7TxfF%2Ff%2BAKdN1r4lFg5reE8%2F7mbvWq5UI%3D&amp;reserved=0

Re: [DISCUSS] KIP-515: Enable ZK client to use the new TLS supported authentication

Reply via email to