Hey Jun, The intent was for the same functionality to be utilized when 1688 is done, as mentioned in the KIP:
"The broader security initiative <http://kafka-1682/> will add more robust controls for these types of environments, and this proposal could be integrated with that work at the appropriate time. This is also the specific request of a large financial services company." I don't think including the functionality now (as it's relatively simple) would preclude integration into 1688. At that point the implementation of the check might change, but as it's a broker config, there shouldn't be concerns about backward compatibility. Hope that helps Thanks Jeff On Fri, Mar 20, 2015 at 12:26 PM, Jun Rao <j...@confluent.io> wrote: > Yes, we can discuss the implementation separately. > > As for the proposal itself, have you looked at KAFKA-1688? Could this just > be a special case for authorization and be included there? > > Thanks, > > Jun > > On Wed, Mar 18, 2015 at 6:26 PM, Jeff Holoman <jholo...@cloudera.com> > wrote: > > > One other thought. Does the timing of the implementation (or lack > thereof) > > affect the proposal? It seems like the question you are asking is an > > implementation detail in terms of when the work would be done. If there > > isn't really support for the KIP that's ok, just wanting to make sure we > > are segmenting the vote for the KIP from concerns about implementation > > timing. > > > > Thanks! > > > > Jeff > > > > On Wed, Mar 18, 2015 at 9:22 PM, Jeff Holoman <jholo...@cloudera.com> > > wrote: > > > > > Hey Jun thanks for the comment. > > > > > > Is the plan to re-factor the SocketServer implementation significantly? > > > The current check is just in the acceptor. Does this change with the > > > refactor? > > > > > > Thanks > > > > > > Jeff > > > > > > > > > > > > > > > > > > On Wed, Mar 18, 2015 at 7:25 PM, Jun Rao <j...@confluent.io> wrote: > > > > > >> The proposal sounds reasonable. Timing wise, since we plan to refactor > > the > > >> network layer code in the broker, perhaps this can wait until > KAFKA-1928 > > >> is > > >> done? > > >> > > >> Thanks, > > >> > > >> Jun > > >> > > >> On Tue, Mar 17, 2015 at 6:56 AM, Jeff Holoman <jholo...@cloudera.com> > > >> wrote: > > >> > > >> > bump > > >> > > > >> > On Tue, Mar 3, 2015 at 8:12 PM, Jeff Holoman <jholo...@cloudera.com > > > > >> > wrote: > > >> > > > >> > > Guozhang, > > >> > > > > >> > > The way the patch is implemented, the check is done in the > acceptor > > >> > thread > > >> > > accept() method of the Socket Server, just before > connectionQuotas. > > >> > > > > >> > > Thanks > > >> > > > > >> > > Jeff > > >> > > > > >> > > On Tue, Mar 3, 2015 at 7:59 PM, Guozhang Wang <wangg...@gmail.com > > > > >> > wrote: > > >> > > > > >> > >> Jeff, > > >> > >> > > >> > >> I am wondering if the IP filtering rule can be enforced at the > > socket > > >> > >> server level instead of the Kafka API level? > > >> > >> > > >> > >> Guozhang > > >> > >> > > >> > >> On Tue, Mar 3, 2015 at 2:24 PM, Jiangjie Qin > > >> <j...@linkedin.com.invalid > > >> > > > > >> > >> wrote: > > >> > >> > > >> > >> > +1 (non-binding) > > >> > >> > > > >> > >> > On 3/3/15, 1:17 PM, "Gwen Shapira" <gshap...@cloudera.com> > > wrote: > > >> > >> > > > >> > >> > >+1 (non-binding) > > >> > >> > > > > >> > >> > >On Tue, Mar 3, 2015 at 12:44 PM, Jeff Holoman < > > >> jholo...@cloudera.com > > >> > > > > >> > >> > >wrote: > > >> > >> > >> Details in the wiki. > > >> > >> > >> > > >> > >> > >> > > >> > >> > >> > > >> > >> > >> > > >> > >> > > > >> > >> > > >> > > > >> > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-7+-+Security+-+IP+F > > >> > >> > >>iltering > > >> > >> > >> > > >> > >> > >> > > >> > >> > >> > > >> > >> > >> -- > > >> > >> > >> Jeff Holoman > > >> > >> > >> Systems Engineer > > >> > >> > > > >> > >> > > > >> > >> > > >> > >> > > >> > >> -- > > >> > >> -- Guozhang > > >> > >> > > >> > > > > >> > > > > >> > > > > >> > > -- > > >> > > Jeff Holoman > > >> > > Systems Engineer > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > >> > > > >> > -- > > >> > Jeff Holoman > > >> > Systems Engineer > > >> > > > >> > > > > > > > > > > > > -- > > > Jeff Holoman > > > Systems Engineer > > > > > > > > > > > > > > > > > > -- > > Jeff Holoman > > Systems Engineer > > > -- Jeff Holoman Systems Engineer
