I agree. If we can really do pluggable authorization (and even pluggable
authentication), it would not actually be hard to effectively implement a
multi-tenant solution. I am hoping to attempt to implement something like
this once there is code / patches for KIP-11 and KIP-12. So I wonder if we
If we can't disable it, then can we use the tried and true method of using
"-1" to indicate that no throttling should take place?
On Tue, Apr 21, 2015 at 4:38 PM, Joel Koshy wrote:
> In either approach I'm not sure we considered being able to turn it
> off completely. IOW, no it is not a "plugin
types of authentication which may each want to populate the Subject
with one or more Principals and perhaps even credentials (this could be used in
the future to hold encryption keys or perhaps the raw info prior to
authentication).
- Gari Singh
On Oct. 26, 2014, 5:37 a.m., Gwen Shapira wrote
be ok.
On Fri, Apr 24, 2015 at 2:18 PM, Parth Brahmbhatt <
pbrahmbh...@hortonworks.com> wrote:
> Thanks for your comments Gari. My responses are inline.
>
> Thanks
> Parth
>
> On 4/24/15, 10:36 AM, "Gari Singh" wrote:
>
> >Sorry - fat fingered send
"session" object? If
we use the model in one above, we could just populate the Subject with a
KafkaClientAddressPrincipal and thenhave access to that when evaluated the
ACLs.
4) What about actually caching authorization decisions? I know ACLs will
be cached, but the actual authorize
Not sure if my "newbie" vote will count, but I think you are getting pretty
close here.
Couple of things:
1) I know the Session object is from a different JIRA, but I think that
Session should take a Subject rather than just a single Principal. The
reason for this is because a Subject can have m
am working on SASL authentication as an option over TCP or
> TLS. I’ll update the KIP soon once I’ve got interfaces in place. Sorry
> about the confusion on this as I am testing out multiple options and trying
> to decide right one.
>
> Thanks,
> Harsha
>
>
> On April
Sorry for jumping in late, but I have been trying to follow this chain as
well as the updates to the KIP. I don't mean to seem critical and I may be
misunderstanding the proposed implementation, but there seems to be some
confusion around terminology (at least from my perspective) and I am not
sur
Hi Gwen -
I tend to agree with your proposal. As you mention the exact details /
interfaces would need to be worked out, but this would be more in line with
how JAAS and JACC work in the Java / JEE worlds.
I do think that it might be nice to include / provide some "helper" APIs /
methods for cac
