[jira] [Commented] (KAFKA-4454) Authorizer should also include the Principal generated by the PrincipalBuilder.

Wed, 07 Dec 2016 15:58:52 -0800 

    [ 
https://issues.apache.org/jira/browse/KAFKA-4454?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15730371#comment-15730371
 ] 

Mayuresh Gharat commented on KAFKA-4454:
----------------------------------------

[~junrao], thanks a lot for the review.
The thought of adding an equality check for channelPrincipal(if it exist) did 
cross my mind, but I left it out purposely. The reason was, I thought that 
Kafka internally, mainly cares about the principal name and principal type and 
the principal name actually comes from the channelPrincipal. But now that I 
think more about it, the channelPrincipal might be different custom types like 
servicePrincipal or userPrincipal and so on, with same name and so it does make 
sense to add proper equality check there.

I agree that there might be a better way of doing this. I will write up a KIP 
for this and submit for review soon. 

> Authorizer should also include the Principal generated by the 
> PrincipalBuilder.
> -------------------------------------------------------------------------------
>
>                 Key: KAFKA-4454
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4454
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions: 0.10.0.1
>            Reporter: Mayuresh Gharat
>            Assignee: Mayuresh Gharat
>             Fix For: 0.10.2.0
>
>
> Currently kafka allows users to plugin a custom PrincipalBuilder and a custom 
> Authorizer.
> The Authorizer.authorize() object takes in a Session object that wraps 
> KafkaPrincipal and InetAddress.
> The KafkaPrincipal currently has a PrincipalType and Principal name, which is 
> the name of Principal generated by the PrincipalBuilder. 
> This Principal, generated by the pluggedin PrincipalBuilder might have other 
> fields that might be required by the pluggedin Authorizer but currently we 
> loose this information since we only extract the name of Principal while 
> creating KaflkaPrincipal in SocketServer.  
> It would be great if KafkaPrincipal has an additional field 
> "channelPrincipal" which is used to store the Principal generated by the 
> plugged in PrincipalBuilder.
> The pluggedin Authorizer can then use this "channelPrincipal" to do 
> authorization.
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to