Hi, Substitution mechanism can be useful to configure regular password configs liken ssl.keystore.password, ssl.truststore.password, etc. This is can be good alternative to previously proposed KIP-76 and will give more options to the user.
https://cwiki.apache.org/confluence/display/KAFKA/KIP- 76+Enable+getting+password+from+executable+rather+than+ passing+as+plaintext+in+config+files Thanks, On Fri, Apr 6, 2018 at 4:29 AM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > Hi Ron, > > For the password example, you could define a login CallbackHandler that > processes PasswordCallback to provide passwords. We don't currently do this > with PLAIN/SCRAM because login callback handlers were not configurable > earlier and we haven't updated the login modules to do this. But that could > be one way of providing passwords and integrating with other password > sources, now that we have configurable login callback handlers. I was > wondering whether similar approach could be used for the parameters that > OAuth needed to obtain at runtime. We could still have this KIP with > built-in substitutable types to handle common cases like getting options > from a file without writing any code. But I wasn't sure if there were OAuth > options that couldn't be handled as callbacks using the login callback > handler. > > On Thu, Apr 5, 2018 at 10:25 PM, Ron Dagostino <rndg...@gmail.com> wrote: > > > Hi Rajini. Thanks for the questions. I could see someone wanting to > > retrieve a password from a vended password vault solution (for example); > > that is the kind of scenario that the ability to add new substitutable > > types would be meant for. I do still consider this KIP 269 to be a > > prerequisite for the SASL/OAUTHBEARER KIP 255. I am open to a different > > perspective in case I missed or misunderstood your point. > > > > Ron > > > > On Thu, Apr 5, 2018 at 8:13 AM, Rajini Sivaram <rajinisiva...@gmail.com> > > wrote: > > > > > Hi Ron, > > > > > > Now that login callback handlers are configurable, is this KIP still a > > > pre-req for OAuth? I was wondering whether we still need the ability to > > add > > > new substitutable types or whether it would be sufficient to add the > > > built-in ones to read from file etc. > > > > > > > > > On Thu, Mar 29, 2018 at 6:48 AM, Ron Dagostino <rndg...@gmail.com> > > wrote: > > > > > > > Hi everyone. There have been no comments on this KIP, so I intend to > > put > > > > it to a vote next week if there are no comments that might entail > > changes > > > > between now and then. Please take a look in the meantime if you > wish. > > > > > > > > Ron > > > > > > > > On Thu, Mar 15, 2018 at 2:36 PM, Ron Dagostino <rndg...@gmail.com> > > > wrote: > > > > > > > > > Hi everyone. > > > > > > > > > > I created KIP-269: Substitution Within Configuration Values > > > > > <https://cwiki.apache.org/confluence/display/KAFKA/KIP+ > > > > 269+Substitution+Within+Configuration+Values> > > > > > (https://cwiki.apache.org/confluence/display/KAFKA/KIP+269+ > > > > > Substitution+Within+Configuration+Values > > > > > <https://cwiki.apache.org/confluence/pages/viewpage. > > > > action?pageId=75968876> > > > > > ). > > > > > > > > > > This KIP proposes adding support for substitution within client > JAAS > > > > > configuration values for PLAIN and SCRAM-related SASL mechanisms > in a > > > > > backwards-compatible manner and making the functionality available > to > > > > other > > > > > existing (or future) configuration contexts where it is deemed > > > > appropriate. > > > > > > > > > > This KIP was extracted from (and is now a prerequisite for) > KIP-255: > > > > > OAuth Authentication via SASL/OAUTHBEARER > > > > > <https://cwiki.apache.org/confluence/pages/viewpage. > > > > action?pageId=75968876> > > > > > based on discussion of that KIP. > > > > > > > > > > Ron > > > > > > > > > > > > > > >
