I would be strong +1 on that. I’ve seen a lot of regressions on other projects when new functionality cause regressions when running in secure mode.
Jarcec On Oct 10, 2014, at 9:43 AM, Neha Narkhede <neha.narkh...@gmail.com> wrote: > I'd vote for accepting every major change with the relevant system tests. > We didn't do this for major features in the past that lead to weak coverage > and a great deal of work for someone else to add tests for features that > were done in the past. I'm guilty of this myself :-( > > On Thu, Oct 9, 2014 at 6:45 PM, Gwen Shapira <gshap...@cloudera.com> wrote: > >> Added some details on delegation tokens. I hope it at least clarifies >> some of the scope. >> I'm working on a more detailed design doc. >> >> On Thu, Oct 9, 2014 at 1:44 PM, Jay Kreps <jay.kr...@gmail.com> wrote: >>> Hey Gwen, >>> >>> Your absolutely right about these. I added the ticket for ZK >> authentication >>> and Hadoop delegation tokens. >>> >>> For the Hadoop case I actually don't understand Hadoop security very >> well. >>> Maybe you could fill in some of the details on what needs to happen for >>> that to work? >>> >>> For testing, we should probably discuss the best way to test security. I >>> think this is a fairly critical thing, if we are going to say we have >>> security we really need to have good tests in place to ensure we do. This >>> will require some thought. I think we should be able to test TLS fairly >>> easily using junit integration test that just starts the server and >>> connects using TLS. For Kerberos though it isn't clear to me how to do >> good >>> integration testing since we need a KDC to test against and it isn't >> clear >>> how that happens in the test environment except possibly manually (which >> is >>> not ideal). How do other projects handle this? >>> >>> -Jay >>> >>> On Tue, Oct 7, 2014 at 5:25 PM, Gwen Shapira <gshap...@cloudera.com> >> wrote: >>> >>>> I think we need to add: >>>> >>>> * Authentication of Kafka brokers with a secured ZooKeeper >>>> * Kafka should be able to generate delegation tokens for MapReduce / >>>> Spark / Yarn jobs. >>>> * Extend systest framework to allow testing secured kafka >>>> >>>> Gwen >>>> >>>> On Tue, Oct 7, 2014 at 5:15 PM, Jay Kreps <jay.kr...@gmail.com> wrote: >>>>> Hey guys, >>>>> >>>>> As promised, I added a tree of JIRAs for the stuff in the security >> wiki ( >>>>> https://cwiki.apache.org/confluence/display/KAFKA/Security): >>>>> >>>>> https://issues.apache.org/jira/browse/KAFKA-1682 >>>>> >>>>> I tried to break it into reasonably standalone pieces. I think many of >>>> the >>>>> tickets could actually be done in parallel. Since there were many >> people >>>>> interested in this area this may help parallelize the work a bit. >>>>> >>>>> I added some strawman details on implementation to each ticket. We can >>>>> discuss and refine further on the individual tickets. >>>>> >>>>> Please take a look and let me know if this breakdown seems reasonable. >>>>> >>>>> Cheers, >>>>> >>>>> -Jay >>>> >>
