The proposal itself looks reasonable, but I have a couple of questions as you made reference to "operators of the system; and network team" in your wiki.
- Are spoofing attacks a concern even with this in place? If so, it would require some sort of internal ingress filtering which presumably need cooperation with network teams right? - Also, the operators of the (Kafka) system really should have access to iptables on the Kafka brokers so wouldn't this feature be effectively redundant? Thanks, Joel On Thu, Jan 22, 2015 at 01:50:41PM -0500, Joe Stein wrote: > Hey Jeff, thanks for the patch and writing this up. > > I think the approach to explicitly deny and then set what is allowed or > explicitly allow then deny specifics makes sense. Supporting CIDR notation > and ip4 and ip6 both good too. > > Waiting for KAFKA-1845 to get committed I think makes sense before > reworking this anymore right now, yes. Andrii posted a patch yesterday for > it so hopefully in the next ~ week(s). > > Not sure what other folks think of this approach but whatever that is would > be good to have it in prior to reworking for the config def changes. > > /******************************************* > Joe Stein > Founder, Principal Consultant > Big Data Open Source Security LLC > http://www.stealth.ly > Twitter: @allthingshadoop <http://www.twitter.com/allthingshadoop> > ********************************************/ > > On Wed, Jan 21, 2015 at 8:47 PM, Jeff Holoman <jholo...@cloudera.com> wrote: > > > Posted a KIP for IP Filtering: > > > > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-7+-+Security+-+IP+Filtering > > > > Relevant JIRA: > > https://issues.apache.org/jira/browse/KAFKA-1810 > > > > Appreciate any feedback. > > > > Thanks > > > > Jeff > >
