[jira] [Created] (KAFKA-9486) Kafka Security

Kuttaiah created KAFKA-9486: --- Summary: Kafka Security Key: KAFKA-9486 URL: https://issues.apache.org/jira/browse/KAFKA-9486 Project: Kafka Issue Type: Bug Components: security

[jira] [Resolved] (KAFKA-8669) Add java security providers in Kafka Security config

://github.com/apache/kafka/pull/7090 > Add java security providers in Kafka Security config > > > Key: KAFKA-8669 > URL: https://issues.apache.org/jira/browse/KAFKA-8669 > Project: Kafka >

Re: [VOTE] KIP-492 Add java security providers in Kafka Security config

some good discussion > > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about > the > > KIP > > < > https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config > >, > > I

Re: [VOTE] KIP-492 Add java security providers in Kafka Security config

On 2019/07/29 19:22:02, Sandeep Mopuri wrote: > Hi all, after some good discussion > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about the > KIP > <https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Se

Re: [VOTE] KIP-492 Add java security providers in Kafka Security config

ndeep Mopuri , > > > wrote: > > > > > Hi all, after some good discussion > > > > > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> > > > about the > > > > > KIP > > > > > < > > > > >

Re: [VOTE] KIP-492 Add java security providers in Kafka Security config

; > Harsha > > > On Jul 29, 2019, 12:22 PM -0700, Sandeep Mopuri , > > wrote: > > > > Hi all, after some good discussion > > > > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> > > about the > > > > KIP > > >

Re: [VOTE] KIP-492 Add java security providers in Kafka Security config

> > > KIP > > > < > https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config > >, > > > I'm starting the voting. > > > > > > This KIP proposes adding new security configuration to accept custom > > > security providers that can provide algorithms for SSL or SASL. > > > > > > -- > > > Thanks, > > > M.Sai Sandeep >

Re: [VOTE] KIP-492 Add java security providers in Kafka Security config

; > <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about the > > KIP > > <https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config>, > > I'm starting the voting. > > > >

Re: [VOTE] KIP-492 Add java security providers in Kafka Security config

display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config>, > I'm starting the voting. > > This KIP proposes adding new security configuration to accept custom > security providers that can provide algorithms for SSL or SASL. > > -- > Thanks, > M.Sai Sandeep

[VOTE] KIP-492 Add java security providers in Kafka Security config

Hi all, after some good discussion <https://www.mail-archive.com/dev@kafka.apache.org/msg99419.html> about the KIP <https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config>, I'm starting the voting. This KIP proposes ad

Re: Fwd: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

, I have few comments below. > > > > > > > > > > > > > > > > > > >>“To take advantage of these custom algorithms, we want to > > > > support > > > > > > > ja

Re: Fwd: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

afka > > > brokers). > > > > > > The > > > > > > > > security providers can also be used for configuring security > > > > > > algorithms in > > > > > > > > SASL ba

Re: Fwd: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

; > > > > > “security.provider.class”. The value of “security.provider” is > > > > > expected to > > > > > > > be a string representing the provider’s full classname. This > > provider > &

Re: Fwd: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

; > > > > > > > > > > > It is good to have this property as a list of providers instead > of a > > > > > > single property. This will allow configuring multiple providers > if it > > > > > > is needed in the future without intr

Re: Fwd: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

s will allow configuring multiple providers if it > > > > > is needed in the future without introducing hacky solutions like > > > > > security.provider.class.name.x, where x is a sequence number. You > > can > > > > > change the property name to

Fwd: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

t; Typo in existing properties section: > > > > “ssl.provider” instead of “ssl.providers”. > > > > > > > > Thanks, > > > > Satish. > > > > > > > > 1. https://github.com/spiffe/java-spiffe > > > > > > > > > > > > On Mon, Jul 15, 2019 at 11:41 AM Sandeep Mopuri > > wrote: > > > > > > > > > > Hello all, > > > > > > > > > > I'd like to start a discussion thread for KIP-492. > > > > > This KIP plans on introducing a new security config parameter for a > > > > custom > > > > > security providers. Please take a look and let me know what do you > > think. > > > > > > > > > > More information can be found here: > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config > > > > > -- > > > > > Thanks, > > > > > Sai Sandeep > > > > > > > > > > > > > -- > > > Thanks, > > > M.Sai Sandeep > > > > > > -- Thanks, M.Sai Sandeep -- Thanks, M.Sai Sandeep

Re: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

> > > > > On Mon, Jul 15, 2019 at 11:41 AM Sandeep Mopuri > wrote: > > > > > > > > Hello all, > > > > > > > > I'd like to start a discussion thread for KIP-492. > > > > This KIP plans on introducing a new security config parameter for a > > > custom > > > > security providers. Please take a look and let me know what do you > think. > > > > > > > > More information can be found here: > > > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config > > > > -- > > > > Thanks, > > > > Sai Sandeep > > > > > > > > > -- > > Thanks, > > M.Sai Sandeep > > >

Re: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

o start a discussion thread for KIP-492. > > > This KIP plans on introducing a new security config parameter for a > > custom > > > security providers. Please take a look and let me know what do you think. > > > > > > More information can be found here: > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config > > > -- > > > Thanks, > > > Sai Sandeep > > > > > -- > Thanks, > M.Sai Sandeep >

Re: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

or a > custom > > security providers. Please take a look and let me know what do you think. > > > > More information can be found here: > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config > > -- > > Thanks, > > Sai Sandeep > -- Thanks, M.Sai Sandeep

Re: [DISCUSS] KIP-492 Add java security providers in Kafka Security config

ucing a new security config parameter for a custom > security providers. Please take a look and let me know what do you think. > > More information can be found here: > https://cwiki.apache.org/confluence/display/KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config > -- > Thanks, > Sai Sandeep

[DISCUSS] KIP-492 Add java security providers in Kafka Security config

KAFKA/KIP-492%3A+Add+java+security+providers+in+Kafka+Security+config -- Thanks, Sai Sandeep

[jira] [Created] (KAFKA-8669) Add java security providers in Kafka Security config

Sai Sandeep created KAFKA-8669: -- Summary: Add java security providers in Kafka Security config Key: KAFKA-8669 URL: https://issues.apache.org/jira/browse/KAFKA-8669 Project: Kafka Issue Type

Re: Reg: Kafka Security features

1. Kafka security features (Kerberos , ACL's) are beta quality code or can they be used in production? Because Kafka documentation shows they are of beta code quality. We need to update the document. But Authorizer feature released as part of 0.9.0. We have lot of deployments using

Reg: Kafka Security features

Hi All, Could you please provide below information. 1. Kafka security features (Kerberos , ACL's) are beta quality code or can they be used in production? Because Kafka documentation shows they are of beta code quality. >From Apache Kafka Documentation "In release 0.9.0.0, the Ka

Re: Release plan for kafka security

My guess is that we might be able to get security and consumer work in by November for the 0.9 release. On Fri, Sep 25, 2015 at 10:44 AM, Aditya Auradkar < aaurad...@linkedin.com.invalid> wrote: > Basically, 0.8.3 has been renamed to 0.9.0. The plan is to include security > in the 0.9 release whi

Re: Release plan for kafka security

Basically, 0.8.3 has been renamed to 0.9.0. The plan is to include security in the 0.9 release which should happen once all the blocker bugs have been resolved and testing is complete (committers can provide more accurate timelines). On Fri, Sep 25, 2015 at 10:35 AM, Whitney, Adam wrote: > Hello

Release plan for kafka security

Hello Kafka Developers, I’m looking for a queuing solution and Kafka is very near the top of my list … except that security is a primary concern (see the domain my email is coming from ;-) I’m a little confused about when security is going to be part of Kafka and in what release. On the Future

Re: [Vote] KIP-11 Authorization design for kafka security

The KIP and design were accepted, so the WIKI should say "accepted" or something similar. Specific patch status is reflected in the JIRA. On Thu, May 21, 2015 at 8:37 PM, Parth Brahmbhatt < pbrahmbh...@hortonworks.com> wrote: > I am sorry to be ignorant about this but what is the new state? Adopt

Re: [Vote] KIP-11 Authorization design for kafka security

I am sorry to be ignorant about this but what is the new state? Adopted seems too early given we are still in code review process. Should I just make it ³Code review²? Thanks Parth On 5/21/15, 8:43 AM, "Jun Rao" wrote: >Parth, > >Thanks for driving this. Could you update the status of the KIP i

Re: [Vote] KIP-11 Authorization design for kafka security

Parth, Thanks for driving this. Could you update the status of the KIP in the wiki? Thanks, Jun On Wed, May 20, 2015 at 2:37 PM, Parth Brahmbhatt < pbrahmbh...@hortonworks.com> wrote: > This vote is now Closed with 4 binding +1s and 4 non binding +1s. > > Thanks > Parth > > On 5/20/15, 12:04 P

Re: [Vote] KIP-11 Authorization design for kafka security

This vote is now Closed with 4 binding +1s and 4 non binding +1s. Thanks Parth On 5/20/15, 12:04 PM, "Joel Koshy" wrote: >+1 > >On Fri, May 15, 2015 at 04:18:49PM +, Parth Brahmbhatt wrote: >> Hi, >> >> Opening the voting thread for KIP-11. >> >> Link to the KIP: >>https://cwiki.apache.or

Re: [Vote] KIP-11 Authorization design for kafka security

+1 On Fri, May 15, 2015 at 04:18:49PM +, Parth Brahmbhatt wrote: > Hi, > > Opening the voting thread for KIP-11. > > Link to the KIP: > https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface > Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688 > > Th

Re: [Vote] KIP-11 Authorization design for kafka security

+1 ~ Joe Stein - - - - - - - - - - - - - - - - - http://www.stealth.ly - - - - - - - - - - - - - - - - - On Fri, May 15, 2015 at 7:35 PM, Jun Rao wrote: > +1 > > Thanks, > > Jun > > On Fri, May 15, 2015 at 9:18 AM, Parth Brahmbhatt < > pbrahmbh...@hortonworks.com> wrote: > > > Hi, > > > > Op

Re: [Vote] KIP-11 Authorization design for kafka security

+1 Thanks, Jun On Fri, May 15, 2015 at 9:18 AM, Parth Brahmbhatt < pbrahmbh...@hortonworks.com> wrote: > Hi, > > Opening the voting thread for KIP-11. > > Link to the KIP: > https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface > Link to Jira: https://issues.apache.

Re: [Vote] KIP-11 Authorization design for kafka security

+1 -Jay On Fri, May 15, 2015 at 9:18 AM, Parth Brahmbhatt < pbrahmbh...@hortonworks.com> wrote: > Hi, > > Opening the voting thread for KIP-11. > > Link to the KIP: > https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface > Link to Jira: https://issues.apache.org/jira

Re: [Vote] KIP-11 Authorization design for kafka security

+1 non-binding. Tom Graves On Friday, May 15, 2015 2:00 PM, Don Bosco Durai wrote: +1 non-binding On 5/15/15, 11:43 AM, "Gwen Shapira" wrote: >+1 non-binding > >On Fri, May 15, 2015 at 9:12 PM, Harsha wrote: > >> +1 non-binding >> >> >> >> >> >> >> On Fri, May 15, 2015 at 9:18 A

Re: [Vote] KIP-11 Authorization design for kafka security

+1 non-binding On 5/15/15, 11:43 AM, "Gwen Shapira" wrote: >+1 non-binding > >On Fri, May 15, 2015 at 9:12 PM, Harsha wrote: > >> +1 non-binding >> >> >> >> >> >> >> On Fri, May 15, 2015 at 9:18 AM -0700, "Parth Brahmbhatt" < >> pbrahmbh...@hortonworks.com> wrote: >> >> >> >> >> >> >> >> >> >>

Re: [Vote] KIP-11 Authorization design for kafka security

+1 non-binding On Fri, May 15, 2015 at 9:12 PM, Harsha wrote: > +1 non-binding > > > > > > > On Fri, May 15, 2015 at 9:18 AM -0700, "Parth Brahmbhatt" < > pbrahmbh...@hortonworks.com> wrote: > > > > > > > > > > > Hi, > > Opening the voting thread for KIP-11. > > Link to the KIP: > https://cwiki.

Re: [Vote] KIP-11 Authorization design for kafka security

+1 non-binding On Fri, May 15, 2015 at 9:18 AM -0700, "Parth Brahmbhatt" wrote: Hi, Opening the voting thread for KIP-11. Link to the KIP: https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface Link to Jira: https://issues.apache.org/jira/browse/KAFK

[Vote] KIP-11 Authorization design for kafka security

Hi, Opening the voting thread for KIP-11. Link to the KIP: https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+Interface Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688 Thanks Parth

Re: [VOTE] KIP-11- Authorization design for kafka security

nt from phone > > _ > From: Gwen Shapira mailto:gshap...@cloudera.com>> > Sent: Thursday, April 30, 2015 5:32 PM > Subject: Re: [VOTE] KIP-11- Authorization design for kafka security > To: mailto:dev@kafka.apache.org>> > > > On Thu, Apr 30

Re: [VOTE] KIP-11- Authorization design for kafka security

so it can keep moving forward. >> > >> >> > >> >> > >> ~ Joe Stein >> > >> >> > >> On Tue, Apr 28, 2015 at 3:33 AM, Sun, Dapeng >> > >>wrote: >> > >> >> > >> > Thank you for

Re: [VOTE] KIP-11- Authorization design for kafka security

http://docs.aws.amazon.com/kinesis/latest/APIReference/CommonErrors.html From: Gwen Shapira Sent: Thursday, April 30, 2015 6:05 PM To: dev@kafka.apache.org Subject: Re: [VOTE] KIP-11- Authorization design for kafka security I think Kafka's behavior should be

Re: [VOTE] KIP-11- Authorization design for kafka security

> > Sent from phone > > _ > From: Gwen Shapira mailto:gshap...@cloudera.com>> > Sent: Thursday, April 30, 2015 5:32 PM > Subject: Re: [VOTE] KIP-11- Authorization design for kafka security > To: mailto:dev@kafka.apache.org>> > > > On T

Re: [VOTE] KIP-11- Authorization design for kafka security

ting the security concern. System must be ensure disallowing >> the access by implementing the security correctly. Not based on >>security by >> obscurity. >> >> Regards, >> Suresh >> >> Sent from phone >> >> _ >> F

Re: [VOTE] KIP-11- Authorization design for kafka security

MHO is a huge win. The default authorizer implementation right now > logs every allowed/denied access (see here > https://github.com/Parth-Brahmbhatt/kafka/blob/KAFKA-1688-impl/core/src/mai > n/scala/kafka/security/auth/SimpleAclAthorizer.scala) in debug mode. > Anybody who needs auditin

Re: [VOTE] KIP-11- Authorization design for kafka security

@kafka.apache.org Subject: Re: [VOTE] KIP-11- Authorization design for kafka security I kind of thought of the authorization module as something that happens in handle(request: RequestChannel.Reuqest) in the request.requestId match If the request doesn't do what it is allowed too it should stop

Re: [VOTE] KIP-11- Authorization design for kafka security

> creation, deletion, access etc.? > > Regards, > Suresh > > Sent from phone > > _ > From: Joe Stein mailto:joe.st...@stealth.ly>> > Sent: Thursday, April 30, 2015 3:27 PM > Subject: Re: [VOTE] KIP-11- Authorization design for kafka secu

Re: [VOTE] KIP-11- Authorization design for kafka security

from phone > > _ > From: Gwen Shapira mailto:gshap...@cloudera.com>> > Sent: Thursday, April 30, 2015 10:14 AM > Subject: Re: [VOTE] KIP-11- Authorization design for kafka security > To: mailto:dev@kafka.apache.org>> > > > * Regarding add

Re: [VOTE] KIP-11- Authorization design for kafka security

_ > From: Gwen Shapira mailto:gshap...@cloudera.com>> > Sent: Thursday, April 30, 2015 10:14 AM > Subject: Re: [VOTE] KIP-11- Authorization design for kafka security > To: mailto:dev@kafka.apache.org>> > > > * Regarding additional authorizers: > Prasad

Re: [VOTE] KIP-11- Authorization design for kafka security

phone _ From: Gwen Shapira mailto:gshap...@cloudera.com>> Sent: Thursday, April 30, 2015 10:14 AM Subject: Re: [VOTE] KIP-11- Authorization design for kafka security To: mailto:dev@kafka.apache.org>> * Regarding additional authorizers: Prasad, who is a PMC on Apache Sentry review

Re: [VOTE] KIP-11- Authorization design for kafka security

>> >> > >>this > >> >> > >> wasbrought up already or I missed it. > >> >> > >> > >> >> > >> I read through the KIP and the thread(s) and a couple of things > >> >>jumped > >> >> > >>out. >

Re: [VOTE] KIP-11- Authorization design for kafka security

how we can >> >>know >> >> > >>the >> >> > >>code works. >> >> > >> >> >> > >> >> >> > >> >> >> > >>- We need some implementation/example/sample

Re: [VOTE] KIP-11- Authorization design for kafka security

t;> > >>Kafka it has to work for them out of the box. >>> > >> >>> > >> >>> > >> >>> > >>- We should shy away from storing JSON in Zookeeper. Lets store >>> > >>bytes

Re: [VOTE] KIP-11- Authorization design for kafka security

> > >> > >> > >> > >> > >> > >>- We should shy away from storing JSON in Zookeeper. Lets store > >> > >>bytes in > >> > >>Storage. > >> > >> > >> > >> > >>

Re: [VOTE] KIP-11- Authorization design for kafka security

; > >> > >2. We currently don't have any mechanism for specifying IP ranges > (or > > >> host > > >> > >ranges) at all. I think its a pretty significant deficiency, but it > > >>does > > >> > mean that we d

Re: [VOTE] KIP-11- Authorization design for kafka security

>> >> > >> On Tue, Apr 28, 2015 at 3:33 AM, Sun, Dapeng >> > >>wrote: >> > >> >> > >> > Thank you for your reply, Gwen. >> > >> > >> > >> > >1. Complex rule systems can be difficult to reason about and

Re: [VOTE] KIP-11- Authorization design for kafka security

d up being less secure. The rule "Deny always wins" is very easy > to > > >> grasp. > > >> > Yes, I'm agreed with your point: we should not make the rule > complex. > > >> > > > >> > >2. We currently don't have any mech

Re: [VOTE] KIP-11- Authorization design for kafka security

sue of blocking a large > >> range > >> > while unblocking few servers in the range. > >> > Support ranges sounds reasonable. If this feature will be in > >>development > >> > plan, I also don't think we can put "the best matching acl"

Re: [VOTE] KIP-11- Authorization design for kafka security

about the issue of blocking a large >>> range >>> > while unblocking few servers in the range. >>> > Support ranges sounds reasonable. If this feature will be in >>>development >>> > plan, I also don't think we can put "the best mat

Re: [VOTE] KIP-11- Authorization design for kafka security

We have a call tomorrow (Tuesday, April 28) at 3pm PST - to discuss >>this >> > and other outstanding design issues (not all related to security). If >>you >> > are interested in joining - let me know and I'll forward you the >>invite. >> > Thank yo

Re: [VOTE] KIP-11- Authorization design for kafka security

t; > Thank you, Gwen. I have the invite and I should be at home at that time. > > But due to network issue, I may can't join the meeting smoothly. > > > > Regards > > Dapeng > > > > -Original Message- > > From: Gwen Shapira [mailto:gshap

Re: [VOTE] KIP-11- Authorization design for kafka security

> Regards > Dapeng > > -Original Message- > From: Gwen Shapira [mailto:gshap...@cloudera.com] > Sent: Tuesday, April 28, 2015 1:31 PM > To: dev@kafka.apache.org > Subject: Re: [VOTE] KIP-11- Authorization design for kafka security > > While I see the advantag

RE: [VOTE] KIP-11- Authorization design for kafka security

: Gwen Shapira [mailto:gshap...@cloudera.com] Sent: Tuesday, April 28, 2015 1:31 PM To: dev@kafka.apache.org Subject: Re: [VOTE] KIP-11- Authorization design for kafka security While I see the advantage of being able to say something like: "deny user X from hosts h1...h200" also "

Re: [VOTE] KIP-11- Authorization design for kafka security

5 PM, Sun, Dapeng wrote: > Attach the image. > > https://raw.githubusercontent.com/sundapeng/attachment/master/kafka-acl1.png > > Regards > Dapeng > > From: Sun, Dapeng [mailto:dapeng@intel.com] > Sent: Tuesday, April 28, 2015 11:44 AM > To: dev@kafka.apache.org > Subje

RE: [VOTE] KIP-11- Authorization design for kafka security

Attach the image. https://raw.githubusercontent.com/sundapeng/attachment/master/kafka-acl1.png Regards Dapeng From: Sun, Dapeng [mailto:dapeng@intel.com] Sent: Tuesday, April 28, 2015 11:44 AM To: dev@kafka.apache.org Subject: RE: [VOTE] KIP-11- Authorization design for kafka security

Re: [VOTE] KIP-11- Authorization design for kafka security

>> >>>>>>>>>>restrict >> >> >>>>>>>>>>access to users just from a set of hosts. >> >> >>>>>>>>>> >> >> >>>>>>>>>>We agreed to offer a CLI to overcome the JSON

Re: [VOTE] KIP-11- Authorization design for kafka security

gt;>>>>>>>>Jsons but that probably has something to do with me being a > >> >>>>>>>>>>developer > >> >>>>>>>>>>:-). > >> >>>>>>>>>> > >> >>>&

Re: [VOTE] KIP-11- Authorization design for kafka security

ration and one host. So we could make sure there >are not many acls with same meaning and make acl management easily. > > >Regards >Dapeng > >-Original Message- >From: Jun Rao [mailto:j...@confluent.io] >Sent: Monday, April 27, 2015 5:02 AM >To: dev@kafka.apache.

Re: [VOTE] KIP-11- Authorization design for kafka security

>>>>On 4/22/15, 11:38 AM, "Jeff Holoman" >> >>>>>>>>>>wrote: >> >>>>>>>>>> >> >>>>>>>>>>>Parth, >> >>>>>>>>>>> >> >

RE: [VOTE] KIP-11- Authorization design for kafka security

okeeper or memory we may better to separate to one-principle, one-operation and one host. So we could make sure there are not many acls with same meaning and make acl management easily. Regards Dapeng -Original Message- From: Jun Rao [mailto:j...@confluent.io] Sent: Monday, April 27, 2

Re: [VOTE] KIP-11- Authorization design for kafka security

;>>>>>>>far. > >>>>>>>>>>> > >>>>>>>>>>>Are we sure that we want to tie host level access to a given > >>>>>>>>>>>user? > >>>>>>>>>>>My > >>

Re: [VOTE] KIP-11- Authorization design for kafka security

host2, host3 >>>>>>>>>>>user_b, host1, host2, host3 >>>>>>>>>>> >>>>>>>>>>>So there would potentially be a lot of redundancy in the configs. >>>>>>>>>>>Do

Re: [VOTE] KIP-11- Authorization design for kafka security

io where I want to offline/online access > >>> to a > >>> >>>particular hosts or set of hosts and if there was overlap, I'm > >>>doing a > >>> >>>bunch of alter commands for just a single host. Maybe this is too > >>>

Re: [VOTE] KIP-11- Authorization design for kafka security

llowed / denied >>>>>>>>>>hosts >>>>>>>>>>and >>>>>>>>>>only have to worry about the users. So if you follow this, then >>>>>>>>>> >>>>>>>>>>we can wildc

Re: [VOTE] KIP-11- Authorization design for kafka security

of just >>>>>>>>>>host-based >>>>>>>>>>access. What's the order that the perms would be evaluated if a >>>>>>>>>>there >>>>>>>>>>was >>>>>>>>&

Re: [VOTE] KIP-11- Authorization design for kafka security

re than one match on a principal ? >>>>>>>>> >>>>>>>>>Is the thought that there wouldn't usually be much overlap on >>>>>>>>>hosts? >>>>>>>>>I >>>>>>>>>guess I can imagine

Re: [VOTE] KIP-11- Authorization design for kafka security

t;>>>>>>>an example? >>>>>>>> >>>>>>>>I agree that having this level of granularity gives flexibility >>>>>>>>but I >>>>>>>>wonder if people will actually use it and not just * the hos

Re: [VOTE] KIP-11- Authorization design for kafka security

; list as i mentioned above? >>> >>> >>> >>>The only other system I know of that ties users with hosts for >>>access >>> is >>> >>>MySql and I don't love that model. Companies usually standardize on >>> group >>>

Re: [VOTE] KIP-11- Authorization design for kafka security

n't love that model. Companies usually standardize on >>>>>>>group >>>>>>>authorization anyway, are we complicating that issue with the >>>>>>>inclusion >>>>>>>of >>>>>>>hosts attached to use

Re: [VOTE] KIP-11- Authorization design for kafka security

tt < >> >>>pbrahmbh...@hortonworks.com> wrote: >> >>> >> >>>> Sorry I missed your last questions. I am +0 on adding ―host option >> for >> >>>> ―list, we could add it for symmetry. Again if this is only a CLI >> c

Re: [VOTE] KIP-11- Authorization design for kafka security

which is > >>>> resource based get (remove even the get based on principal). I see > >>>>those > >>>> (getAcl for principal or host) as special filtering case which can > >>>>easily > >>>> be achieved by a third party tool by doing "list a

Re: [VOTE] KIP-11- Authorization design for kafka security

gt;>> >>>>>>Jeff >>>>>> >>>>>>On Wed, Apr 22, 2015 at 2:22 PM, Parth Brahmbhatt < >>>>>>pbrahmbh...@hortonworks.com> wrote: >>>>>> >>>>>>> Sorry I missed your l

Re: [VOTE] KIP-11- Authorization design for kafka security

ything to ease this I think would be beneficial. >>>>>> >>>>>> >>>>>>Thanks >>>>>> >>>>>>Jeff >>>>>> >>>>>>On Wed, Apr 22, 2015 at 2:22 PM, Parth Brahmbhatt < >>&

Re: [VOTE] KIP-11- Authorization design for kafka security

st questions. I am +0 on adding ―host option >>>>>>for >>>>>> ―list, we could add it for symmetry. Again if this is only a CLI >>>>>>change >>>>>>it >>>>>> can be added later if you mean adding this in authorizer inter

Re: [VOTE] KIP-11- Authorization design for kafka security

the get based on principal). I see >>>>>those >>>>> (getAcl for principal or host) as special filtering case which can >>>>>easily >>>>> be achieved by a third party tool by doing "list all topics" and >>>>>calling >&

Re: [VOTE] KIP-11- Authorization design for kafka security

Acls for each topic and applying filtering logic on that. I really >>>> don’t see the need to make those first class citizens of the authorizer >>>> interface given these kind of queries will be issued outside of broker >>>>JVM >>>> so they will not benefit fr

Re: [VOTE] KIP-11- Authorization design for kafka security

on resource both these options even as a first class API will >>>just >>> scan all topic acls and apply filtering logic. >>> >>> Thanks >>> Parth >>> >>> On 4/22/15, 11:08 AM, "Parth Brahmbhatt" >>> wrote: >>>

Re: [DISCUSS] KIP-11- Authorization design for kafka security

here >> > >> >>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+ >>I >> >nterface#KIP-11-AuthorizationInterface-AclManagement(CLI) . I think it >> >covers both hosts and operations and allows to specify a list for both. >

Re: [DISCUSS] KIP-11- Authorization design for kafka security

P-11- Authorization design for kafka security Parth, This is a long thread, so trying to keep up here, sorry if this has been covered before. First, great job on the KIP proposal and work so far. Are we sure that we want to tie host level access to a given user? My understanding is that the ACL wil

Re: [DISCUSS] KIP-11- Authorization design for kafka security

perations and allows to specify a list for both. > > > >Thanks > >Parth > > > >From: Tom Graves mailto:tgraves...@yahoo.com>> > >Reply-To: Tom Graves mailto:tgraves...@yahoo.com>> > >Date: Wednesday, April 22, 2015 at 11:02 AM > >To: Parth Brah

Re: [DISCUSS] KIP-11- Authorization design for kafka security

aves mailto:tgraves...@yahoo.com>> >>Reply-To: Tom Graves mailto:tgraves...@yahoo.com>> >>Date: Wednesday, April 22, 2015 at 11:02 AM >>To: Parth Brahmbhatt >>mailto:pbrahmbh...@hortonworks.com>>, >>"dev@kafka.apache.org<mailto:dev@kafka.apache.org>&

Re: [DISCUSS] KIP-11- Authorization design for kafka security

t;" >mailto:dev@kafka.apache.org>> >Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security > >Thanks for the explanations Parth. > >On the configs questions, the way I see it is its more likely to >accidentally give everyone access, especially since y

Re: [DISCUSS] KIP-11- Authorization design for kafka security

gt;>Date: Wednesday, April 22, 2015 at 11:02 AM >>To: Parth Brahmbhatt >>mailto:pbrahmbh...@hortonworks.com>>, >>"dev@kafka.apache.org<mailto:dev@kafka.apache.org>" >>mailto:dev@kafka.apache.org>> >>Subject: Re: [DISCUSS] KIP-11- Authorizatio

Re: [DISCUSS] KIP-11- Authorization design for kafka security

April 22, 2015 at 11:02 AM >To: Parth Brahmbhatt >mailto:pbrahmbh...@hortonworks.com>>, >"dev@kafka.apache.org<mailto:dev@kafka.apache.org>" >mailto:dev@kafka.apache.org>> >Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security > >Thanks for the e

Re: [DISCUSS] KIP-11- Authorization design for kafka security

Parth Brahmbhatt , "dev@kafka.apache.org" Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security Thanks for the explanations Parth. On the configs questions, the way I see it is its more likely to accidentally give everyone access, especially since you have to run a separ

Re: [DISCUSS] KIP-11- Authorization design for kafka security

rg>> Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security Thanks for the explanations Parth. On the configs questions, the way I see it is its more likely to accidentally give everyone access, especially since you have to run a separate command to change the acls. If there

Re: [DISCUSS] KIP-11- Authorization design for kafka security

Thanks for the explanations Parth. On the configs questions, the way I see it is its more likely to accidentally give everyone access, especially since you have to run a separate command to change the acls. If there was some config for defaults, a cluster admin could change that to be nobody or

Re: [DISCUSS] KIP-11- Authorization design for kafka security

FYI, I have modified the KIP to include group as resource. In order to access “joinGroup” and “commitOFfset” APIs the user will need a read permission on topic and WRITE permission on group. I plan to open a VOTE thread by noon if there are no more concerns. Thanks Parth On 4/22/15, 9:03 AM, "T

Re: [DISCUSS] KIP-11- Authorization design for kafka security

Hey everyone, Sorry to jump in on the conversation so late. I'm new to Kafka. I'll apologize in advance if you have already covered some of my questions.  I read through the wiki and had some comments and questions. 1) public enum Operation needs EDIT changed to ALTER 2) Does the Authorizer clas

  1   2   3   >