Hi all, The updated KIP-43 passes with 3 binding +1s (Harsha, Gwen and Jun) and 3 non-binding +1s. Many thanks to everyone for the feedback.
The initial PR is available at https://github.com/apache/kafka/pull/812. Feedback is appreciated. Thank you, Rajini On Fri, Apr 1, 2016 at 11:09 PM, Grant Henke <ghe...@cloudera.com> wrote: > +1 (non-binding) > > Might as well throw this in. Didn't realize I hadn't voted. > > On Fri, Apr 1, 2016 at 4:58 PM, Ismael Juma <ism...@juma.me.uk> wrote: > > > Since the KIP changed since my last vote, +1 (non-binding). > > > > Rajini, do you want to wrap up the vote? It seems like we have 3 binding > > +1s (Harsha, Gwen and Jun). > > > > Ismael > > > > On Tue, Mar 29, 2016 at 3:22 PM, Jun Rao <j...@confluent.io> wrote: > > > > > Rajini, > > > > > > Thanks for the update. +1 on the proposal. > > > > > > Jun > > > > > > On Tue, Mar 29, 2016 at 3:32 AM, Rajini Sivaram < > > > rajinisiva...@googlemail.com> wrote: > > > > > > > Jun, > > > > > > > > Thank you for reviewing the KIP. Answers below: > > > > > > > > 1. Yes, broker can specify *sasl.mechanism. *It is used for all > > > client-mode > > > > connections including that in inter-broker communication. > > > > > > > > 2. If *sasl.enabled.mechanisms* is not specified, the default value > of > > > > {'GSSAPI'} is used. If it is specified, only the protocols specified > > are > > > > enabled. This enables brokers to be run with SASL without enabling > > GSSAPI > > > > (as we do). Since GSSAPI requires complex Kerberos set up, it is > useful > > > to > > > > have the ability to turn it off. > > > > > > > > 3. For the default SASL/PLAIN implementation included in Kafka, > > username > > > > (authentication ID) is returned as principal. > > > > > > > > I will update the KIP to clarify these points. > > > > > > > > Thanks, > > > > > > > > Rajini > > > > > > > > > > > > On Mon, Mar 28, 2016 at 6:17 PM, Jun Rao <j...@confluent.io> wrote: > > > > > > > > > Hi, Rajini, > > > > > > > > > > Sorry for the late response. The revised KIP looks good overall. > > Just a > > > > few > > > > > minor comments below. > > > > > > > > > > 1. Since the broker can also act as a client too (for inter broker > > > > > communication), sasl.mechanism can also be specified in the broker > > > > > configuration, right? > > > > > 2. Since we enable GSSAPI by default, is it true that one only > needs > > to > > > > > specify non-GSSAPI mechanisms in sasl.enabled.mechanisms? > > > > > 3. For SASL/PLAIN, could we describe what the Principal will > > > > > Authenticator.principal() > > > > > return? > > > > > > > > > > I will also take a look at the patch. However, since we are getting > > > > pretty > > > > > close to 0.10.0.0 release, I think we likely will have to leave > this > > > out > > > > of > > > > > 0.10.0.0. > > > > > > > > > > Thanks, > > > > > > > > > > Jun > > > > > > > > > > On Thu, Mar 24, 2016 at 2:21 PM, Gwen Shapira <g...@confluent.io> > > > wrote: > > > > > > > > > > > I'm afraid it will be a challenge. > > > > > > > > > > > > I see few options: > > > > > > 1. Jun should be back in the office tomorrow. If he votes +1 and > > > agrees > > > > > > that the PR is ready to merge and is safe and important enough to > > > > > > double-commit - this could get in yet. > > > > > > 2. Same as above, but not in time for the Monday release > candidate. > > > In > > > > > this > > > > > > case, we can get it into 0.10.0.0 if we find other blockers and > > need > > > to > > > > > > roll-out another RC. > > > > > > 3. (most likely) We will finish the vote and review but not in > time > > > for > > > > > > 0.10.0.0. In this case, 0.10.1.0.0 should be out in around 3 > month, > > > and > > > > > > we'll get it in there. You'll be in good company with KIP-35, > > KIP-4, > > > > > KIP-48 > > > > > > and few other things that are close to done, are super critical > but > > > are > > > > > > just not ready in time. Thats why we are trying to release more > > > often. > > > > > > > > > > > > Gwen > > > > > > > > > > > > On Thu, Mar 24, 2016 at 2:08 PM, Rajini Sivaram < > > > > > > rajinisiva...@googlemail.com> wrote: > > > > > > > > > > > > > Gwen, > > > > > > > > > > > > > > Ah, I clearly don't know the rules. So it looks like it would > not > > > > > really > > > > > > be > > > > > > > possible to get this into 0.10.0.0 after all. > > > > > > > > > > > > > > Rajini > > > > > > > > > > > > > > On Thu, Mar 24, 2016 at 8:38 PM, Gwen Shapira < > g...@confluent.io > > > > > > > > wrote: > > > > > > > > > > > > > > > Rajini, > > > > > > > > > > > > > > > > I think the vote didn't pass yet? > > > > > > > > If I can see correctly, Harsha and I are the only committers > > who > > > > > voted, > > > > > > > so > > > > > > > > we are missing a 3rd vote. > > > > > > > > > > > > > > > > Gwen > > > > > > > > > > > > > > > > On Thu, Mar 24, 2016 at 11:24 AM, Rajini Sivaram < > > > > > > > > rajinisiva...@googlemail.com> wrote: > > > > > > > > > > > > > > > > > Gwen, > > > > > > > > > > > > > > > > > > Thank you. I have pinged Ismael, Harsha and Jun Rao for PR > > > > review. > > > > > If > > > > > > > any > > > > > > > > > of them has time for reviewing the PR, I will update the PR > > > over > > > > > the > > > > > > > > > weekend. If you can suggest any other reviewers, I can ping > > > them > > > > > too. > > > > > > > > > > > > > > > > > > Many thanks. > > > > > > > > > > > > > > > > > > On Thu, Mar 24, 2016 at 5:03 PM, Gwen Shapira < > > > g...@confluent.io > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > This can be discussed in the review. > > > > > > > > > > If there's good test coverage, is low risk and passes > > review > > > > and > > > > > > gets > > > > > > > > > > merged before Monday morning... > > > > > > > > > > > > > > > > > > > > We won't be doing an extra release candidate just for > this > > > > > though. > > > > > > > > > > > > > > > > > > > > Gwen > > > > > > > > > > > > > > > > > > > > On Thu, Mar 24, 2016 at 1:21 AM, Rajini Sivaram < > > > > > > > > > > rajinisiva...@googlemail.com> wrote: > > > > > > > > > > > > > > > > > > > > > Gwen, > > > > > > > > > > > > > > > > > > > > > > Is it still possible to include this in 0.10.0.0? > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > > > > > > > > > > Rajini > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2016 at 11:08 PM, Gwen Shapira < > > > > > > g...@confluent.io> > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > Sorry! Got distracted by the impending release! > > > > > > > > > > > > > > > > > > > > > > > > +1 on the current revision of the KIP. > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 23, 2016 at 3:33 PM, Harsha < > > ka...@harsha.io > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > Any update on this. Gwen since the KIP is adjusted > to > > > > > address > > > > > > > the > > > > > > > > > > > > > pluggable classes we should make a move on this. > > > > > > > > > > > > > > > > > > > > > > > > > > Rajini, > > > > > > > > > > > > > Can you restart the voting thread. > > > > > > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > > > > > > > Harsha > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 16, 2016, at 06:42 AM, Rajini Sivaram > > > wrote: > > > > > > > > > > > > > > As discussed in the KIP meeting yesterday, the > > scope > > > of > > > > > > > KIP-43 > > > > > > > > > has > > > > > > > > > > > been > > > > > > > > > > > > > > reduced so that it can be integrated into > 0.10.0.0. > > > The > > > > > > > updated > > > > > > > > > KIP > > > > > > > > > > > is > > > > > > > > > > > > > > here: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-43%3A+Kafka+SASL+enhancements > > > > > > > > > > > > > > . > > > > > > > > > > > > > > > > > > > > > > > > > > > > Can we continue the vote on the updated KIP? > > > > > > > > > > > > > > > > > > > > > > > > > > > > Thank you, > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rajini > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Thu, Mar 10, 2016 at 2:09 AM, Gwen Shapira < > > > > > > > > g...@confluent.io > > > > > > > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Harsha, > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Since you are clearly in favor of the KIP, do > you > > > > mind > > > > > > > > jumping > > > > > > > > > > into > > > > > > > > > > > > > > > the discussion thread and help me understand > the > > > > > decision > > > > > > > > > behind > > > > > > > > > > > the > > > > > > > > > > > > > > > configuration parameters only allowing a single > > > Login > > > > > and > > > > > > > > > > > > > > > CallbackHandler class? This seems too limiting > to > > > me, > > > > > and > > > > > > > > while > > > > > > > > > > > > Rajini > > > > > > > > > > > > > > > is trying hard to convince me otherwise, I > remain > > > > > > doubtful. > > > > > > > > > > Perhaps > > > > > > > > > > > > > > > (since we have similar experience with Hadoop), > > you > > > > can > > > > > > > help > > > > > > > > me > > > > > > > > > > see > > > > > > > > > > > > > > > what I am missing. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Gwen > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Mar 9, 2016 at 12:02 PM, Harsha < > > > > > ka...@harsha.io > > > > > > > > > > > > > > > > wrote: > > > > > > > > > > > > > > > > +1 (binding) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Tue, Mar 8, 2016, at 02:37 AM, tao xiao > > wrote: > > > > > > > > > > > > > > > >> +1 (non-binding) > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> On Tue, 8 Mar 2016 at 05:33 Andrew > Schofield < > > > > > > > > > > > > > > > >> andrew_schofield_j...@outlook.com> wrote: > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > +1 (non-binding) > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > ---------------------------------------- > > > > > > > > > > > > > > > >> > > From: ism...@juma.me.uk > > > > > > > > > > > > > > > >> > > Date: Mon, 7 Mar 2016 19:52:11 +0000 > > > > > > > > > > > > > > > >> > > Subject: Re: [VOTE] KIP-43: Kafka SASL > > > > > > enhancements > > > > > > > > > > > > > > > >> > > To: dev@kafka.apache.org > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > +1 (non-binding) > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > On Thu, Mar 3, 2016 at 10:37 AM, Rajini > > > > Sivaram > > > > > < > > > > > > > > > > > > > > > >> > > rajinisiva...@googlemail.com> wrote: > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > >> I would like to start the voting > process > > > for > > > > > > > *KIP-43: > > > > > > > > > > Kafka > > > > > > > > > > > > > SASL > > > > > > > > > > > > > > > >> > >> enhancements*. This KIP extends the > SASL > > > > > > > > implementation > > > > > > > > > > in > > > > > > > > > > > > > Kafka to > > > > > > > > > > > > > > > >> > support > > > > > > > > > > > > > > > >> > >> new SASL mechanisms to enable Kafka to > be > > > > > > > integrated > > > > > > > > > with > > > > > > > > > > > > > different > > > > > > > > > > > > > > > >> > >> authentication servers. > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > >> The KIP is available here for > reference: > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > >> And here's is a link to the discussion > on > > > the > > > > > > > mailing > > > > > > > > > > list: > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > http://mail-archives.apache.org/mod_mbox/kafka-dev/201601.mbox/%3CCAOJcB39b9Vy7%3DZEM3tLw2zarCS4A_s-%2BU%2BC%3DuEcWs0712UaYrQ%40mail.gmail.com%3E > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > >> Thank you... > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > >> Regards, > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > >> Rajini > > > > > > > > > > > > > > > >> > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > > > > > > > > > > > Rajini > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > > > > > Rajini > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > Regards, > > > > > > > > > > > > > > > > > > Rajini > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > Regards, > > > > > > > > > > > > > > Rajini > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Regards, > > > > > > > > Rajini > > > > > > > > > > > > > -- > Grant Henke > Software Engineer | Cloudera > gr...@cloudera.com | twitter.com/gchenke | linkedin.com/in/granthenke > -- Regards, Rajini
