Hey Everyone,
Tried out a new format to get some attention and also to make understanding
easier, so I recorded a 15 min long video about this KIP.
https://www.youtube.com/watch?v=uOJTyAEJmB8&feature=youtu.be
Sorry for the sound quality but recording a video isn't a thing for me and
also I look l
Hi all,
I have updated the interfaces. I managed to shrink the required number of
entities. Basically I store the event type with the event, therefore we can
cover all topic related events (create, delete, change) with one event type.
I think if on-one has objections then I'll start a vote soon.
Hi Tom.
Sorry for the delay.
Answering your points:
> Why is it necessary to introduce this interface to produce the audit trail
> when there is logging that can already record a lot of the same
> information, albeit in less structured form? If logging isn't adequate it
> would be good to explain
Hi Viktor,
Like Mickael, I can see that there's value in having an audit trail. For me
the KIP raises a number of questions in its current form:
Why is it necessary to introduce this interface to produce the audit trail
when there is logging that can already record a lot of the same
information,
Hi Viktor,
I think the current state of the proposal is flexible enough to support
use-cases where the response data is of interest to the auditor.
This part ensures that: "... doing the auditing before sending the response
back ...". Additionally, event classes could be extended with additional
d
Hi Daniel,
I think in this sense we can use the precedence set with the
KAfkaAdminClient. It has *Result and *Options classes which in this
interpretation are similar in versioning and usage as they transform and
convey the responses of the protocol in a minimalistic API.
I've modified the KIP a b
An example I had in mind was the ProduceResponse - the auditor might need
access to the new end offset of the partitions.
The event-based approach sounds good - new events and fields can be added
on-demand. Do we need the same versioning strategy we use with the
requests/responses?
Daniel
Viktor
Hi Daniel,
> If the auditor needs access to the details of the action, one could argue
that even the response should be passed down to the auditor.
At this point I don't think we need to include responses into the interface
but if you have a use-case we can consider doing that.
> Is it feasible t
Hi,
Thanks for the KIP.
If the auditor needs access to the details of the action, one could argue
that even the response should be passed down to the auditor.
Is it feasible to convert the Java requests and responses to public API?
If not, do we have another option to access this info in the audi
One more after-thought on your second point (AbstractRequest): the reason I
introduced it in the first place was that this way implementers can access
request data. A use case can be if they want to audit a change in
configuration or client quotas but not just acknowledge the fact that such
an even
Hi Mickael,
Thanks for reviewing the KIP.
1.) I just wanted to follow the conventions used with the Authorizer as it
is built in a similar fashion, although it's true that in KafkaServer we
call the configure() method and the start() in the next line. This would be
the same in Auditor and even si
Hi Viktor,
Thanks for restarting the discussion on this KIP. Being able to easily
audit usage of a Kafka cluster is a very valuable feature.
Regarding the API, I have a few of questions:
1) You introduced a start() method. I don't think any other interfaces
have such a method. Users can do any se
Hi everyone,
Changed the interface a little bit to accommodate methods better where
authorization happens for multiple operations so the implementer of the
audit interface will receive all authorizations together.
I'll wait a few more days to allow people to react or give feedback but if
there are
Hi Everyone,
I'd like to restart the discussion on this. Since the KIP has been revamped
I thought I'd start a new discussion thread.
Link:
https://cwiki.apache.org/confluence/display/KAFKA/KIP-567%3A+Kafka+Cluster+Audit
Short summary:
- Would like to introduce a new interface similar to the Aut
Hi Nikolay,
I actually have a somewhat different approach that is somewhat similar to
the Authorizer interface.
I have updated the KIP to reflect that.
I'm happy to collaborate during the implementation. I have a code change
not yet published but I can publish it and we can see what's the best way
Hello, Viktor.
Do you want to implement the exact approach as it described in the current KIP?
Or you have another proposal on how it has to be implemented?
I abandoned this KIP due to lack of interest from community.
Guess we can collaborate during implementation.
> 7 сент. 2020 г., в 13:13, Vi
Hi folks,
It's been a few days since I last pinged and nobody replied so I assume
that this KIP is abandoned and I can take this over (but please let me know
if it's not). I will keep the current version of the KIP and move it to a
sub-page if it's ever needed.
Thanks,
Viktor
On Fri, Aug 28, 202
Hi folks,
I have a use-case and a non-trivial implementation with Apache Atlas for
this KIP and since this kip seems to be dormant for a while now, I'd take
it over and drive it to completion if you don't mind.
The current state of the PoC can be found on my fork at
https://github.com/viktorsomogy
Hello, Nikolai.
> Can you, please, make it more specific?
> Why does a business want to have this information?
It is very demanded for security department to know who/when/where create
or edit ACL settings. The same situation about topics.
> What are the use-cases for it?
This KIP are able
Hi Nikolai!
>Can you, please, make it more specific?
Why does a business want to have this information?
>What are the use-cases for it?
>Who will be analyzing these events and how?
>Why it’s not convenient to implement it with third-party tools?
This is required by the guys from information secur
Hello, Igor.
Thanks for the KIP.
I have a couple of comments for it:
> Motivation
> It is highly demanded in most businesses to have the ability of obtaining
> audit information in case someone changes cluster configuration (like
> creation/deletion/modify/description of any topic or ACLs).
C
Hello Igor,
Thanks for your KIP 🙌🏽
It would be great to adopt this functionality and getting the best of
tracking cluster activity.
+1 vote from me
Cheers,
Alex Dunayevsky
On Fri, 24 Jan 2020, 15:35 Игорь Мартемьянов, wrote:
> Motivation:
>
>
> *It is highly demanded in most businesses to ha
Motivation:
*It is highly demanded in most businesses to have the ability of obtaining
audit information in case someone changes cluster configuration (like
creation/deletion/modify/description of any topic or ACLs).We may add this
ability. Since audit requirements are so broad, it's impractical
Hello there.
Please review this KIP.
Thanks.
24 matches
Mail list logo
