Hi Manikumar, you are right, 5713 is a bit ambiguous about which fields are considered in scope, but I agree that wildcards for Ips are not necessary when we have ranges.
I am wondering though, if we might want to extend the scope of this KIP a bit while we are changing acl and authorizer classes anyway. After considering this a bit on a flihht with no wifi yesterday I came up with the following: * wildcards or regular expressions for principals, groups and topics * extend the KafkaPrincipal object to allow adding custom key-value pairs in principalbuilder implementations * extend SimpleAclAuthorizer and the ACL tools to authorize on these key/value pairs The second and third bullet points would allow easy creation of for example a principalbuilder that adds groups the user belongs to in the active directory to its principal, without requiring the user to also extend the authorizer and create custom ACL storage. This would significantly lower the technical debt incurred by custom authorizer mechanisms I think. There are a few issues to hash out of course, but I'd think in general this should work work nicely and be a step towards meeting corporate authorization requirements. Best regards, Sönke Am 01.02.2018 18:46 schrieb "Manikumar" <manikumar.re...@gmail.com>: Hi, They are few deployments using IPv6. It is good to support IPv6 also. I think KAFKA-5713 is about adding regular expression support to resource names (topic. consumer etc..). Yes, wildcards (*) in hostname doesn't makes sense. Range and subnet support will give us the flexibility. On Thu, Feb 1, 2018 at 5:56 PM, Sönke Liebau < soenke.lie...@opencore.com.invalid> wrote: > Hi Manikumar, > > the current proposal indeed leaves out IPv6 addresses, as I was unsure > whether Kafka fully supports that yet to be honest. But it would be > fairly easy to add these to the proposal - I'll update it over the > weekend. > > Regarding KAFKA-5713, I simply listed it as related, since it is > similar in spirit, if not exact wording. Parts of that issue > (wildcards in hosts) would be covered by this kip - just in a slightly > different way. Do we really need wildcard support in IP addresses if > we can specify ranges and subnets? I considered it, but only came up > with scenarios that seemed fairly academic to me, like allowing the > same host from multiple subnets (10.0.*.1) for example. > > Allowing wildcards has the potential to make the code more complex, > depending on how we decide to implement this feature, hance I decided > to leave wildcards out for now. > > What do you think? > > Best regards, > Sönke > > On Thu, Feb 1, 2018 at 10:14 AM, Manikumar <manikumar.re...@gmail.com> > wrote: > > Hi, > > > > 1. Do we support IPv6 CIDR/ranges? > > > > 2. KAFKA-5713 is mentioned in Related JIRAs section. But there is no > > mention of wildcard support in the KIP. > > > > > > Thanks, > > > > On Thu, Feb 1, 2018 at 4:05 AM, Sönke Liebau < > > soenke.lie...@opencore.com.invalid> wrote: > > > >> Hey everybody, > >> > >> following a brief inital discussion a couple of days ago on this list > >> I'd like to get a discussion going on KIP-252 which would allow > >> specifying ip ranges and subnets for the -allow-host and --deny-host > >> parameters of the acl tool. > >> > >> The KIP can be found at > >> https://cwiki.apache.org/confluence/display/KAFKA/KIP- > >> 252+-+Extend+ACLs+to+allow+filtering+based+on+ip+ranges+and+subnets > >> > >> Best regards, > >> Sönke > >> > > > > -- > Sönke Liebau > Partner > Tel. +49 179 7940878 > OpenCore GmbH & Co. KG - Thomas-Mann-Straße 8 - 22880 Wedel - Germany >
