>> >>>>modify the acls. It will be up to the authorizer to either define a
>>> >>>>command line utility or to allow other means to add
>>>acls(CLI/UI/REST).
>>> >>>>For the default implementation we can provide CLI.
>>> >>>
>
I looked into the consumer offset storage and it seems like for acl
storage we should not need something as complex. Consumer offset has
different throughput requirements which is why I think it made sense to
move away from zookeeper. Acls on the other hand seldom change and because
of the caching
implementation we can provide CLI.
>> >>>
>> >>>You looked into this deeper than I did - is there a reason
>> >>>TopicCommand can't invoke addACL and getACL?
>> >>>
>> >>>> * We probably want to add List getAcls
?
> >>>
> >>>> * We probably want to add List getAcls(Resource resource) so
> >>>>users
> >>>>can list all acls on a topic.
> >>>
> >>>Also getAcls(Principal princ)?
> >>>
> >>>>
> >>>&g
k but I think that is implementation detail.
>>>>
>>>> Gwen,Jun and other interested parties, do you have time to jump on a
>>>>quick hangout so we can go over some of the lower level details?
>>>>
>>>> Thanks
>>>> Parth
>
>>>
>>> Gwen,Jun and other interested parties, do you have time to jump on a
>>>quick hangout so we can go over some of the lower level details?
>>>
>>> Thanks
>>> Parth
>>> From: Tong Li mailto:liton...@us.ibm.com>>
>>> Rep
om: Tong Li mailto:liton...@us.ibm.com>>
>> Reply-To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>>mailto:dev@kafka.apache.org>>
>> Date: Friday, April 17, 2015 at 7:34 AM
>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>
apache.org>>
> Date: Friday, April 17, 2015 at 7:34 AM
> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
> mailto:dev@kafka.apache.org>>
> Subject: Re: [DISCUSSION] KIP-11: ACL Management
>
>
> Gwen,
> There is one product call
;
mailto:dev@kafka.apache.org>>
Subject: Re: [DISCUSSION] KIP-11: ACL Management
Gwen,
There is one product called ElasticSearch which has been quite
successful. They recently added security, what they actually did is quite nice.
They really separated Authentication and Authorization whic
501/B205
liton...@us.ibm.com
From: Gwen Shapira
To: "dev@kafka.apache.org"
Date: 04/16/2015 12:44 PM
Subject: [DISCUSSION] KIP-11: ACL Management
Hi Kafka Authorization Fans,
I'm starting a new thread on a specific sub-topic of KIP-11, since
this is a bit lo
On Thu, Apr 16, 2015 at 6:13 PM, Jun Rao wrote:
> Hi, Gwen,
>
> What you suggested seems reasonable. I guess we will need the Privilege> pair and the Resource in grant() and revoke()?
I thought that Privilege is a Resource+Action, which is why grant and
revoke can take list of principals and lis
Hi, Gwen,
What you suggested seems reasonable. I guess we will need the pair and the Resource in grant() and revoke()?
Is the Hive authorization api the following? It's weird that it takes user
in checkPermissions(), but not in authorize().
http://hive.apache.org/javadocs/r0.11.0/api/org/apache
Hi Gwen -
I tend to agree with your proposal. As you mention the exact details /
interfaces would need to be worked out, but this would be more in line with
how JAAS and JACC work in the Java / JEE worlds.
I do think that it might be nice to include / provide some "helper" APIs /
methods for cac
Hi Kafka Authorization Fans,
I'm starting a new thread on a specific sub-topic of KIP-11, since
this is a bit long :)
Currently KIP-11, as I understand it, proposes:
* Authorizers are pluggable, with Kafka providing DefaultAuthorizer.
* Kafka tools allow adding / managing ACLs.
* Those ACLs are s
14 matches
Mail list logo
