[jira] [Commented] (KAFKA-1688) Add authorization interface and naive implementation

Fri, 20 Mar 2015 09:12:14 -0700 

    [ 
https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14371544#comment-14371544
 ] 

Jun Rao commented on KAFKA-1688:
--------------------------------

[~lparth], having a TopicConfigCache to cache all topic configs (whether the 
topic is hosted on a broker or not) sounds reasonable. Your other suggestion of 
letting the controller take in all config changes and propagate to all brokers 
may be slightly better for the long term. However, this requires changes in the 
controller. Currently, the logic in the controller is pretty complicated. We 
will likely need to clean it up before we can add non-trivial logic to it.

We will also need to keep an eye on KIP-5 and see if there is new approach to 
deal with all config changes, not just the topic level configs.

> Add authorization interface and naive implementation
> ----------------------------------------------------
>
>                 Key: KAFKA-1688
>                 URL: https://issues.apache.org/jira/browse/KAFKA-1688
>             Project: Kafka
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Jay Kreps
>            Assignee: Parth Brahmbhatt
>             Fix For: 0.8.3
>
>
> Add a PermissionManager interface as described here:
> https://cwiki.apache.org/confluence/display/KAFKA/Security
> (possibly there is a better name?)
> Implement calls to the PermissionsManager in KafkaApis for the main requests 
> (FetchRequest, ProduceRequest, etc). We will need to add a new error code and 
> exception to the protocol to indicate "permission denied".
> Add a server configuration to give the class you want to instantiate that 
> implements that interface. That class can define its own configuration 
> properties from the main config file.
> Provide a simple implementation of this interface which just takes a user and 
> ip whitelist and permits those in either of the whitelists to do anything, 
> and denies all others.
> Rather than writing an integration test for this class we can probably just 
> use this class for the TLS and SASL authentication testing.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to