Re: [DISCUSS] KIP-38: ZooKeeper Authentication

Hi Mayuresh, See comments below, please: > On 22 Oct 2015, at 18:17, Mayuresh Gharat wrote: > > This might have been explained before. I had a question : > In the KIP it says : > "One ZooKeeper setting of interest on the server side is > zookeeper.allowSaslFailedClients. If this is false, then

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

This might have been explained before. I had a question : In the KIP it says : "One ZooKeeper setting of interest on the server side is zookeeper.allowSaslFailedClients. If this is false, then clients trying to authenticate with an incorrect configuration will have their connections dropped. Otherw

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

Ok, thanks for spotting it. -Flavio > On 22 Oct 2015, at 05:54, Jun Rao wrote: > > It seems that in the secure -> unsecure plan, step 3 needs to be done > before step 2. > > Thanks, > > Jun > > On Wed, Oct 21, 2015 at 3:59 PM, Flavio Junqueira wrote: > >> Ok, thanks for the feedback, Todd.

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

It seems that in the secure -> unsecure plan, step 3 needs to be done before step 2. Thanks, Jun On Wed, Oct 21, 2015 at 3:59 PM, Flavio Junqueira wrote: > Ok, thanks for the feedback, Todd. I have updated the KIP with some of the > points discussed here. There is more to add based on these la

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

Ok, thanks for the feedback, Todd. I have updated the KIP with some of the points discussed here. There is more to add based on these last comments, though. -Flavio > On 21 Oct 2015, at 23:43, Todd Palino wrote: > > On Wed, Oct 21, 2015 at 3:38 PM, Flavio Junqueira >

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

On Wed, Oct 21, 2015 at 3:38 PM, Flavio Junqueira wrote: > > > On 21 Oct 2015, at 21:54, Todd Palino wrote: > > > > Thanks for the clarification on that, Jun. Obviously, we haven't been > doing > > much with ZK authentication around here yet. There is still a small > concern > > there, mostly in

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

> On 21 Oct 2015, at 21:54, Todd Palino wrote: > > Thanks for the clarification on that, Jun. Obviously, we haven't been doing > much with ZK authentication around here yet. There is still a small concern > there, mostly in that you should not share credentials any more than is > necessary, whic

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

Thanks for the clarification on that, Jun. Obviously, we haven't been doing much with ZK authentication around here yet. There is still a small concern there, mostly in that you should not share credentials any more than is necessary, which would argue for being able to use a different ACL than the

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

Parth, For 2), in your approach, the broker/controller will then always have the overhead of resetting the ACL on startup after zookeeper.set.acl is set to true. The benefit of using a separate migration tool is that you paid the cost only once during upgrade. It is an extra step during the upgrad

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

> On 21 Oct 2015, at 18:07, Parth Brahmbhatt > wrote: > > I have 2 suggestions: > > 1) We need to document how does one move from secure to non secure > environment: > 1) change the config on all brokers to zookeeper.set.acl = false and do > a > rolling upgrade. > 2) Run the migr

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

Comments inline. In addition, the documentation on the migration path is good, but do we really need a separate utility? Would it be better to have checking and setting the ACLs be a function of the controller, possibly as a separate thread either only at controller startup or periodically, with i

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

I have 2 suggestions: 1) We need to document how does one move from secure to non secure environment: 1) change the config on all brokers to zookeeper.set.acl = false and do a rolling upgrade. 2) Run the migration script with the jass config file so it is sasl authenticated with

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

Yeah let's definitely get a complete description of the user-facing impact, especially the changes to the command-line tools. As much as anything the purpose of these KIPs is to fully capture what the user's life will be like in the next release. Also, if I understand correctly we aren't securing

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

> On 21 Oct 2015, at 17:47, Todd Palino wrote: > > There seems to be a bit of detail lacking in the KIP. Specifically, I'd > like to understand: > > 1) What znodes are the brokers going to secure? Is this configurable? How? Currently it is securing all paths here except the consumers one: htt

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

There seems to be a bit of detail lacking in the KIP. Specifically, I'd like to understand: 1) What znodes are the brokers going to secure? Is this configurable? How? 2) What ACL is the broker going to apply? Is this configurable? 3) How will the admin tools (such as preferred replica election and

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

On Wed, Oct 21, 2015 at 5:04 PM, Flavio Junqueira wrote: > Bringing the points Grant brought to this thread: > > > Is it worth mentioning the follow up steps that were discussed in the KIP > > call in this KIP document? Some of them were: > > > > - Adding SSL support for Zookeeper > > - Remov

Re: [DISCUSS] KIP-38: ZooKeeper Authentication

Bringing the points Grant brought to this thread: > Is it worth mentioning the follow up steps that were discussed in the KIP > call in this KIP document? Some of them were: > > - Adding SSL support for Zookeeper > - Removing the "world readable" assumption > Grant, how would you do it? I s

[DISCUSS] KIP-38: ZooKeeper Authentication

I've created the following KIP and I'd appreciate any comment on the proposal: https://cwiki.apache.org/confluence/display/KAFKA/KIP-38%3A+ZooKeeper+Authentication This is in progress and there is code for most