Re: Review Request 33620: Patch for KAFKA-1690

2015-06-30 Thread Michael Herstine
see sockets, transport layers, channels, and now transport layers... it might be good to include some javadoc on what, exactly, this interface models & how that abstraction relates to other abstrations with similar-sounding (to me, at least) names. - Michael Herstine On June 23, 2015, 8

Re: Review Request 33620: Patch for KAFKA-1690

2015-05-26 Thread Michael Herstine
- Michael --- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/33620/#review83993 --- On May 21, 2015, 5:37 p.m., Sriharsha Chintalapani wrot

Re: Review Request 33620: Patch for KAFKA-1690

2015-05-22 Thread Michael Herstine
> On May 22, 2015, 12:14 a.m., Michael Herstine wrote: > > clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java, > > line 44 > > <https://reviews.apache.org/r/33620/diff/8/?file=966813#file966813line44> > > > > I'm tr

Re: Review Request 33620: Patch for KAFKA-1690

2015-05-22 Thread Michael Herstine
> On May 15, 2015, 10:54 p.m., Joel Koshy wrote: > > clients/src/main/java/org/apache/kafka/common/network/SSLTransportLayer.java, > > line 153 > > > > > > I think Michael meant the following which I think is valid ri

Re: Review Request 33620: Patch for KAFKA-1690

2015-05-21 Thread Michael Herstine
er's certifcate: how could I obtain that? I don't see (immediately) a way to navigate from either the `TransportLayer` or the `Authenticator` to the current `SSLSession`... Wow... this has turned into a major piece of code, hasn't it? Thanks for your attention to my comments. I trie

Re: Review Request 33620: Patch for KAFKA-1690

2015-05-15 Thread Michael Herstine
ree w/Jun. I'm just starting to figure out the code structure, but "peer principal" and "handshake" look, at first blush, like SSL- & SASL-specific ideas. clients/src/main/java/org/apache/kafka/common/security/auth/PrincipalBuilder.java <https://reviews.apache.org/r/

Re: KIP Hangout notes

2015-05-13 Thread Michael Herstine
Regarding the SSL code‹ is there an RB available? I don¹t see a recent patch uploaded to https://issues.apache.org/jira/browse/KAFKA-1684Š How can other folks see the code? On 5/12/15, 12:07 PM, "Gwen Shapira" wrote: >My notes from the hangout: > >* KIP-11: Based on feedback from Joel - group pr

Re: [DISCUSS] KIP-11- Authorization design for kafka security

2015-04-20 Thread Michael Herstine
e the current ACL json is versioned so it is easy to make >changes to it however it won’t be possible to support custom ACL formats >with the current design. > >Thanks >Parth > >On 4/15/15, 4:29 PM, "Michael Herstine" >wrote: > >>Hi Parth, >> >>

Re: [DISCUSS] KIP-11- Authorization design for kafka security

2015-04-20 Thread Michael Herstine
ble config(acl.parser) and >interface(AclParser) or it could just be another method in Authorizer. >One thing to note the current ACL json is versioned so it is easy to make >changes to it however it won’t be possible to support custom ACL formats >with the current design. > >Th

Re: [DISCUSS] KIP-11- Authorization design for kafka security

2015-04-15 Thread Michael Herstine
tied to Acl structure that we have provided in out of box >implementation. > >Thanks >Parth > >On 4/15/15, 10:31 AM, "Michael Herstine" >mailto:mherst...@linkedin.com.INVALID>> >wrote: > >Hi Parth, > >One question that occurred to me at th

Re: [DISCUSS] KIP-11- Authorization design for kafka security

2015-04-15 Thread Michael Herstine
would be more appropriate. Host lookup will >unnecessary slow things down and would be insecure as you pointed out. > >With IP, it will be also able to setup policies (in future if needed) with >ranges or netmasks and it would be more scalable. > >Bosco > > >On 4/14/15, 1:40 PM,

Re: [DISCUSS] KIP-11- Authorization design for kafka security

2015-04-14 Thread Michael Herstine
>Thanks >Parth > >On 3/18/15, 2:20 PM, "Michael Herstine" >wrote: > >>Hi Parth, >> >>Thanks! A few questions: >> >>1. Do you want to permit rules in your ACLs that DENY access as well as >>ALLOW? This can be handy setting up r

Re: KIP discussion Apr 15 at 9:30 am PST

2015-04-13 Thread Michael Herstine
Hi Jun, Michael from Security Infrastructure at LinkedIn‹ I¹d be interested in joining. Could you send me the invite? On 4/10/15, 3:01 PM, "Jun Rao" wrote: >We plan to have a KIP discussion on Google hangout on Apr. 15 at 9:30am >PST. This is moved to a different time on Wed due to conflicts wi

Re: [DISCUSS] KIP-11- Authorization design for kafka security

2015-03-18 Thread Michael Herstine
Hi Parth, Thanks! A few questions: 1. Do you want to permit rules in your ACLs that DENY access as well as ALLOW? This can be handy setting up rules that have exceptions. E.g. “Allow principal P to READ resource R from all hosts” with “Deny principal P READ access to resource R from host H1” in c

Re: Review Request 31958: Patch for KAFKA-1684

2015-03-16 Thread Michael Herstine
the buffer? We flipped it after the last read, but I can't rememeber if SSLEngine.unwrap will update them if there's an incomplete packet (i.e. in the BUFFER_UNDERFLOW case). Just a few questions on some corner cases... handling all the possibilities when handshaking over NIO is really tough

[jira] [Commented] (KAFKA-1684) Implement TLS/SSL authentication

2014-11-14 Thread Michael Herstine (JIRA)
[ https://issues.apache.org/jira/browse/KAFKA-1684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14212515#comment-14212515 ] Michael Herstine commented on KAFKA-1684: - Coming in a little late, but to

[jira] [Commented] (KAFKA-1684) Implement TLS/SSL authentication

2014-11-05 Thread Michael Herstine (JIRA)
[ https://issues.apache.org/jira/browse/KAFKA-1684?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14199087#comment-14199087 ] Michael Herstine commented on KAFKA-1684: - Hi Ivan, Thanks-- adding SSL sup

[jira] [Commented] (KAFKA-1688) Add authorization interface and naive implementation

2014-10-24 Thread Michael Herstine (JIRA)
[ https://issues.apache.org/jira/browse/KAFKA-1688?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14183061#comment-14183061 ] Michael Herstine commented on KAFKA-1688: - Apologies-- yes, I should have

Re: Security JIRAS

2014-10-16 Thread Michael Herstine
Thanks, Jay. I¹m new to the project, and I¹m wondering how things proceed from hereŠ are folks working on these tasks, or do they get assigned, orŠ? On 10/7/14, 5:15 PM, "Jay Kreps" wrote: >Hey guys, > >As promised, I added a tree of JIRAs for the stuff in the security wiki ( >https://cwiki.apa

Re: Two open issues on Kafka security

2014-10-02 Thread Michael Herstine
protocol would have to be clearly documented for >> client implementors. What is that protocol? >> >> -Jay >> >> On Wed, Oct 1, 2014 at 2:36 PM, Michael Herstine >> wrote: >>> Regarding question #1, I’m not sure I follow you, Joe: you’re >>>propo

Re: Two open issues on Kafka security

2014-10-01 Thread Michael Herstine
Regarding question #1, I’m not sure I follow you, Joe: you’re proposing (I think) that the API take a byte[], but what will be in that array? A serialized certificate if the client authenticated via SSL and the principal name (perhaps normalized) if the client authenticated via Kerberos? Regarding