Hi Parth, Sorry to chime in so late, but I’ve got a minor question on the KIP.
Several methods take a parameter named “host” of type String. Is that intended to be a hostname, or an IP address? If the former, I’m curious as to how that’s found (in my experience, when accepting an incoming socket connection, you only know the IP address, and there isn’t a way to map that to a hostname without a round trip to a DNS server, which is insecure anyway). On 3/25/15, 1:07 PM, "Parth Brahmbhatt" <pbrahmbh...@hortonworks.com> wrote: >Hi all, > >I have modified the KIP to reflect the recent change request from the >reviewers. I have been working on the code and I have the server side code >for authorization ready. I am now modifying the command line utilities. I >would really appreciate if some of the committers can spend sometime to >review the KIP so we can make progress on this. > >Thanks >Parth > >On 3/18/15, 2:20 PM, "Michael Herstine" <mherst...@linkedin.com.INVALID> >wrote: > >>Hi Parth, >> >>Thanks! A few questions: >> >>1. Do you want to permit rules in your ACLs that DENY access as well as >>ALLOW? This can be handy setting up rules that have exceptions. E.g. >>“Allow principal P to READ resource R from all hosts” with “Deny >>principal >>P READ access to resource R from host H1” in combination would allow P to >>READ R from all hosts *except* H1. >> >>2. When a topic is newly created, will there be an ACL created for it? If >>not, would that not deny subsequent access to it? >> >>(nit) Maybe use Principal instead of String to represent principals? >> >> >>On 3/9/15, 11:48 AM, "Don Bosco Durai" <bo...@apache.org> wrote: >> >>>Parth >>> >>>Overall it is looking good. Couple of questionsŠ >>> >>>- Can you give an example how the policies will look like in the default >>>implementation? >>>- In the operations, can we support ³CONNECT² also? This can be used >>>during Session connection >>>- Regarding access control for ³Topic Creation², since we can¹t do it on >>>the server side, can we de-scope it for? And plan it as a future feature >>>request? >>> >>>Thanks >>> >>>Bosco >>> >>> >>> >>>On 3/6/15, 8:10 AM, "Harsha" <ka...@harsha.io> wrote: >>> >>>>Hi Parth, >>>> Thanks for putting this together. Overall it looks good to >>>> me. Although AdminUtils is a concern KIP-4 can probably >>>>fix >>>> that part. >>>>Thanks, >>>>Harsha >>>> >>>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote: >>>>> Forgot to add links to wiki and jira. >>>>> >>>>> Link to wiki: >>>>> >>>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizati >>>>>o >>>>>n >>>>>+ >>>>>Interface >>>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688 >>>>> >>>>> Thanks >>>>> Parth >>>>> >>>>> From: Parth Brahmbhatt >>>>> <pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com>> >>>>> Date: Thursday, March 5, 2015 at 10:33 AM >>>>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>" >>>>> <dev@kafka.apache.org<mailto:dev@kafka.apache.org>> >>>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security >>>>> >>>>> Hi, >>>>> >>>>> KIP-11 is open for discussion , I have updated the wiki with the >>>>>design >>>>> and open questions. >>>>> >>>>> Thanks >>>>> Parth >>> >>> >> >