Yeah if nobody else does it first linkedin will definitely do kerberos/ssl + unix permissions at the topic level soonish. If folks already have a head start on the auth piece we would love to have that contribution.
On Fri, Aug 30, 2013 at 5:25 AM, Maxime Brugidou <maxime.brugi...@gmail.com>wrote: > We would love to see kerberos authentication + some unix-like permission > system for topics (where one topic is a file and users/groups have read > and/or write access). > > I guess this is not high-priority but it enables some sort of > kafka-as-a-service possibility with multi tenancy. You could integrate a > quota system later on... > On Aug 30, 2013 5:38 AM, "Rajasekar Elango" <rela...@salesforce.com> > wrote: > > > No certificates are not per topic. It is for entire broker. > > > > Thanks, > > Raja. > > > > > > On Thu, Aug 29, 2013 at 11:33 PM, Joe Stein <crypt...@gmail.com> wrote: > > > > > are the certificate stores by topic? very interesting!!! looking > forward > > to > > > trying it out and review it > > > > > > /******************************************* > > > Joe Stein > > > Founder, Principal Consultant > > > Big Data Open Source Security LLC > > > http://www.stealth.ly > > > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop> > > > ********************************************/ > > > > > > > > > On Thu, Aug 29, 2013 at 11:22 PM, Rajasekar Elango > > > <rela...@salesforce.com>wrote: > > > > > > > We have made changes to kafka code to support certificate based > mutual > > > SSL > > > > authentication. So the clients and broker will exchange trusted > > > > certificates for successful communication. This provides both > > > > authentication and ssl encryption. Planning to contribute that code > > back > > > to > > > > kafka soon. > > > > > > > > Thanks, > > > > Raja. > > > > > > > > > > > > On Thu, Aug 29, 2013 at 11:16 PM, Joe Stein <crypt...@gmail.com> > > wrote: > > > > > > > > > One use case I have been discussing recently with a few clients is > > > > > verifying the digital signature of a message as part of the > > acceptance > > > > > criteria of it being committed to the log and/or when it is > consumed. > > > > > > > > > > I would be very interested in discussing different scenarios such > as > > > > Kafka > > > > > as a service, privacy at rest as well as authorization and > > > authentication > > > > > (if required). > > > > > > > > > > Hit me up > > > > > > > > > > /******************************************* > > > > > Joe Stein > > > > > Founder, Principal Consultant > > > > > Big Data Open Source Security LLC > > > > > http://www.stealth.ly > > > > > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop > > > > > > > ********************************************/ > > > > > > > > > > > > > > > On Thu, Aug 29, 2013 at 8:13 PM, Jay Kreps <jay.kr...@gmail.com> > > > wrote: > > > > > > > > > > > +1 > > > > > > > > > > > > We don't have any application-level security at this time so the > > > answer > > > > > is > > > > > > whatever you can do at the network/system level. > > > > > > > > > > > > -Jay > > > > > > > > > > > > > > > > > > On Thu, Aug 29, 2013 at 10:09 AM, Benjamin Black <b...@b3k.us> > wrote: > > > > > > > > > > > > > IP filters on the hosts. > > > > > > > On Aug 29, 2013 10:03 AM, "Calvin Lei" <ckp...@gmail.com> > wrote: > > > > > > > > > > > > > > > Is there a way to stop a malicious user to connect directly > to > > a > > > > > kafka > > > > > > > > broker and send any messages? Could we have the brokers to > > > accept a > > > > > > > message > > > > > > > > to a list of know IPs? > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > Thanks, > > > > Raja. > > > > > > > > > > > > > > > -- > > Thanks, > > Raja. > > >
