[
https://issues.apache.org/jira/browse/KAFKA-1477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14179081#comment-14179081
]
Jay Kreps commented on KAFKA-1477:
----------------------------------
I took a look at this patch in a little more detail, I think there is likely a
fair bit of work to do before we can check this in.
For example, some things that concern me: The SSLSocketChannel class extends
SocketChannel. We seem to be simulating blocking on a non-blocking socket using
sleep calls in a loop. Then even lots of minor things like channelFor is doing
handshaking and some odd unfinished looking code.
I suspect some of this may be done this way to minimize impact to existing code
since it was being maintained as a patch, but that won't make sense once it is
committed.
What about this as a path forward. Let's take this patch and extract just the
server-side SSL support in SocketServer and try to get that into shape to be
something we can commit. I think we can do this without simultaneously doing
the clients. I think if we try to do this all at once we aren't going to get
there. We can test this by adding to SocketServerTest and just using a blocking
SSL connection. Here is what I think we need to do:
1. Do we need SSLSocketChannel? I think as long as the acceptor completes the
handshake from then on all that is needed is to wrap/unwrap bytes, right?
2. Modify the acceptor in SocketServer to do non-blocking handling of the SSL
handshake. By the time the socket is accepted and handed over to the processor
the ssl handshake should be complete.
3. Create some kind of generic interface for wrap/upwrap (SecurityCodec?) as we
will need to implement this for both ssl and for kerberos. This interface will
wrap the SSLEngine (or SASL engine) associated with a given connection.
> add authentication layer and initial JKS x509 implementation for brokers,
> producers and consumer for network communication
> --------------------------------------------------------------------------------------------------------------------------
>
> Key: KAFKA-1477
> URL: https://issues.apache.org/jira/browse/KAFKA-1477
> Project: Kafka
> Issue Type: Sub-task
> Components: security
> Reporter: Joe Stein
> Assignee: Ivan Lyutov
> Fix For: 0.8.3
>
> Attachments: KAFKA-1477-binary.patch, KAFKA-1477.patch,
> KAFKA-1477_2014-06-02_16:59:40.patch, KAFKA-1477_2014-06-02_17:24:26.patch,
> KAFKA-1477_2014-06-03_13:46:17.patch, KAFKA-1477_trunk.patch
>
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
