Hi Lobo, Thanks for the KIP! I like the idea to allow "IP subnet" to be passed into `--allow-host` option to set for a principle. It will be useful in production environment.
Here's some comments: 1. I think "IP subnet" is more specific than "network segment", is that right? 2. Since you allow the IP subnet in "--allow-host" option, should we also allow the IP subnet in "--deny-host" option? 3. You should mention that we only accept the "CIDR notation" of the IP subnet, to avoid other kinds of subnet expression. REF: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation 4. IP subnet also supports IPv6, should we also allow subnet of IPv6? Thank you. Luke On Tue, Jun 8, 2021 at 9:19 AM lobo xu <wenqiang...@gmail.com> wrote: > The KIP address is wrong in the last email. This is the correct Kip Wiki > address > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-753%3A++ACL+authentication%2C+Host+field+support+IP+network+segment > > > On 2021/06/07 16:24:50, lobo xu <wenqiang...@gmail.com> wrote: > > Hi all > > > > I'd like to discuss the following kip, any suggestions are welcome. > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-753%3A++ACL+authentication%2C+Host+field+support+IP+network+segment > 。 > > > > Many thanks, > > > > Lobo > > >
