Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2021-03-01 Thread Viktor Somogyi-Vass
Hey Everyone, Tried out a new format to get some attention and also to make understanding easier, so I recorded a 15 min long video about this KIP. https://www.youtube.com/watch?v=uOJTyAEJmB8&feature=youtu.be Sorry for the sound quality but recording a video isn't a thing for me and also I look l

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2021-02-02 Thread Viktor Somogyi-Vass
Hi all, I have updated the interfaces. I managed to shrink the required number of entities. Basically I store the event type with the event, therefore we can cover all topic related events (create, delete, change) with one event type. I think if on-one has objections then I'll start a vote soon.

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-10-29 Thread Viktor Somogyi-Vass
Hi Tom. Sorry for the delay. Answering your points: > Why is it necessary to introduce this interface to produce the audit trail > when there is logging that can already record a lot of the same > information, albeit in less structured form? If logging isn't adequate it > would be good to explain

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-10-01 Thread Tom Bentley
Hi Viktor, Like Mickael, I can see that there's value in having an audit trail. For me the KIP raises a number of questions in its current form: Why is it necessary to introduce this interface to produce the audit trail when there is logging that can already record a lot of the same information,

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-10-01 Thread Dániel Urbán
Hi Viktor, I think the current state of the proposal is flexible enough to support use-cases where the response data is of interest to the auditor. This part ensures that: "... doing the auditing before sending the response back ...". Additionally, event classes could be extended with additional d

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-30 Thread Viktor Somogyi-Vass
Hi Daniel, I think in this sense we can use the precedence set with the KAfkaAdminClient. It has *Result and *Options classes which in this interpretation are similar in versioning and usage as they transform and convey the responses of the protocol in a minimalistic API. I've modified the KIP a b

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-22 Thread Dániel Urbán
An example I had in mind was the ProduceResponse - the auditor might need access to the new end offset of the partitions. The event-based approach sounds good - new events and fields can be added on-demand. Do we need the same versioning strategy we use with the requests/responses? Daniel Viktor

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-21 Thread Viktor Somogyi-Vass
Hi Daniel, > If the auditor needs access to the details of the action, one could argue that even the response should be passed down to the auditor. At this point I don't think we need to include responses into the interface but if you have a use-case we can consider doing that. > Is it feasible t

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-17 Thread Dániel Urbán
Hi, Thanks for the KIP. If the auditor needs access to the details of the action, one could argue that even the response should be passed down to the auditor. Is it feasible to convert the Java requests and responses to public API? If not, do we have another option to access this info in the audi

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-16 Thread Viktor Somogyi-Vass
One more after-thought on your second point (AbstractRequest): the reason I introduced it in the first place was that this way implementers can access request data. A use case can be if they want to audit a change in configuration or client quotas but not just acknowledge the fact that such an even

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-16 Thread Viktor Somogyi-Vass
Hi Mickael, Thanks for reviewing the KIP. 1.) I just wanted to follow the conventions used with the Authorizer as it is built in a similar fashion, although it's true that in KafkaServer we call the configure() method and the start() in the next line. This would be the same in Auditor and even si

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-14 Thread Mickael Maison
Hi Viktor, Thanks for restarting the discussion on this KIP. Being able to easily audit usage of a Kafka cluster is a very valuable feature. Regarding the API, I have a few of questions: 1) You introduced a start() method. I don't think any other interfaces have such a method. Users can do any se

Re: [DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-14 Thread Viktor Somogyi-Vass
Hi everyone, Changed the interface a little bit to accommodate methods better where authorization happens for multiple operations so the implementer of the audit interface will receive all authorizations together. I'll wait a few more days to allow people to react or give feedback but if there are

[DISCUSS] KIP-567: Kafka Cluster Audit (new discussion)

2020-09-08 Thread Viktor Somogyi-Vass
Hi Everyone, I'd like to restart the discussion on this. Since the KIP has been revamped I thought I'd start a new discussion thread. Link: https://cwiki.apache.org/confluence/display/KAFKA/KIP-567%3A+Kafka+Cluster+Audit Short summary: - Would like to introduce a new interface similar to the Aut

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-09-07 Thread Viktor Somogyi-Vass
Hi Nikolay, I actually have a somewhat different approach that is somewhat similar to the Authorizer interface. I have updated the KIP to reflect that. I'm happy to collaborate during the implementation. I have a code change not yet published but I can publish it and we can see what's the best way

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-09-07 Thread Nikolay Izhikov
Hello, Viktor. Do you want to implement the exact approach as it described in the current KIP? Or you have another proposal on how it has to be implemented? I abandoned this KIP due to lack of interest from community. Guess we can collaborate during implementation. > 7 сент. 2020 г., в 13:13, Vi

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-09-07 Thread Viktor Somogyi-Vass
Hi folks, It's been a few days since I last pinged and nobody replied so I assume that this KIP is abandoned and I can take this over (but please let me know if it's not). I will keep the current version of the KIP and move it to a sub-page if it's ever needed. Thanks, Viktor On Fri, Aug 28, 202

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-08-28 Thread Viktor Somogyi-Vass
Hi folks, I have a use-case and a non-trivial implementation with Apache Atlas for this KIP and since this kip seems to be dormant for a while now, I'd take it over and drive it to completion if you don't mind. The current state of the PoC can be found on my fork at https://github.com/viktorsomogy

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-01-29 Thread Игорь Мартемьянов
Hello, Nikolai. > Can you, please, make it more specific? > Why does a business want to have this information? It is very demanded for security department to know who/when/where create or edit ACL settings. The same situation about topics. > What are the use-cases for it? This KIP are able

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-01-28 Thread Владимир Беруненко
Hi Nikolai! >Can you, please, make it more specific? Why does a business want to have this information? >What are the use-cases for it? >Who will be analyzing these events and how? >Why it’s not convenient to implement it with third-party tools? This is required by the guys from information secur

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-01-25 Thread Николай Ижиков
Hello, Igor. Thanks for the KIP. I have a couple of comments for it: > Motivation > It is highly demanded in most businesses to have the ability of obtaining > audit information in case someone changes cluster configuration (like > creation/deletion/modify/description of any topic or ACLs). C

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-01-24 Thread Alexander Dunayevsky
Hello Igor, Thanks for your KIP 🙌🏽 It would be great to adopt this functionality and getting the best of tracking cluster activity. +1 vote from me Cheers, Alex Dunayevsky On Fri, 24 Jan 2020, 15:35 Игорь Мартемьянов, wrote: > Motivation: > > > *It is highly demanded in most businesses to ha

Re: [DISCUSS] KIP-567: Kafka Cluster Audit

2020-01-24 Thread Игорь Мартемьянов
Motivation: *It is highly demanded in most businesses to have the ability of obtaining audit information in case someone changes cluster configuration (like creation/deletion/modify/description of any topic or ACLs).We may add this ability. Since audit requirements are so broad, it's impractical

[DISCUSS] KIP-567: Kafka Cluster Audit

2020-01-24 Thread Игорь Мартемьянов
Hello there. Please review this KIP. Thanks.