Currently the authorizer does not perform any dns lookups and uses the hostname it receives as part of request.session as is. So in a way we are allowing only ip addresses. The only match is equality based so no ip ranges yet but that is easy to add.
However, I think it is ok to allow for both ip addresses and hostnames and we should allow both. I am not sure why would I want to secure dns lookups and the host lookups extending to dns server are only necessary when the dns cache does not have the entry or the cache entry expires. This can be controlled by setting networkaddress.cache.ttl setting in jvm. Thanks Parth On 4/14/15, 10:56 PM, "Don Bosco Durai" <bo...@apache.org> wrote: >I also feel, having just IP would be more appropriate. Host lookup will >unnecessary slow things down and would be insecure as you pointed out. > >With IP, it will be also able to setup policies (in future if needed) with >ranges or netmasks and it would be more scalable. > >Bosco > > >On 4/14/15, 1:40 PM, "Michael Herstine" <mherst...@linkedin.com.INVALID> >wrote: > >>Hi Parth, >> >>Sorry to chime in so late, but I’ve got a minor question on the KIP. >> >>Several methods take a parameter named “host” of type String. Is that >>intended to be a hostname, or an IP address? If the former, I’m curious >>as >>to how that’s found (in my experience, when accepting an incoming socket >>connection, you only know the IP address, and there isn’t a way to map >>that to a hostname without a round trip to a DNS server, which is >>insecure >>anyway). >> >> >>On 3/25/15, 1:07 PM, "Parth Brahmbhatt" <pbrahmbh...@hortonworks.com> >>wrote: >> >>>Hi all, >>> >>>I have modified the KIP to reflect the recent change request from the >>>reviewers. I have been working on the code and I have the server side >>>code >>>for authorization ready. I am now modifying the command line utilities. >>>I >>>would really appreciate if some of the committers can spend sometime to >>>review the KIP so we can make progress on this. >>> >>>Thanks >>>Parth >>> >>>On 3/18/15, 2:20 PM, "Michael Herstine" <mherst...@linkedin.com.INVALID> >>>wrote: >>> >>>>Hi Parth, >>>> >>>>Thanks! A few questions: >>>> >>>>1. Do you want to permit rules in your ACLs that DENY access as well as >>>>ALLOW? This can be handy setting up rules that have exceptions. E.g. >>>>“Allow principal P to READ resource R from all hosts” with “Deny >>>>principal >>>>P READ access to resource R from host H1” in combination would allow P >>>>to >>>>READ R from all hosts *except* H1. >>>> >>>>2. When a topic is newly created, will there be an ACL created for it? >>>>If >>>>not, would that not deny subsequent access to it? >>>> >>>>(nit) Maybe use Principal instead of String to represent principals? >>>> >>>> >>>>On 3/9/15, 11:48 AM, "Don Bosco Durai" <bo...@apache.org> wrote: >>>> >>>>>Parth >>>>> >>>>>Overall it is looking good. Couple of questionsŠ >>>>> >>>>>- Can you give an example how the policies will look like in the >>>>>default >>>>>implementation? >>>>>- In the operations, can we support ³CONNECT² also? This can be used >>>>>during Session connection >>>>>- Regarding access control for ³Topic Creation², since we can¹t do it >>>>>on >>>>>the server side, can we de-scope it for? And plan it as a future >>>>>feature >>>>>request? >>>>> >>>>>Thanks >>>>> >>>>>Bosco >>>>> >>>>> >>>>> >>>>>On 3/6/15, 8:10 AM, "Harsha" <ka...@harsha.io> wrote: >>>>> >>>>>>Hi Parth, >>>>>> Thanks for putting this together. Overall it looks good >>>>>>to >>>>>> me. Although AdminUtils is a concern KIP-4 can probably >>>>>>fix >>>>>> that part. >>>>>>Thanks, >>>>>>Harsha >>>>>> >>>>>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote: >>>>>>> Forgot to add links to wiki and jira. >>>>>>> >>>>>>> Link to wiki: >>>>>>> >>>>>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authoriza >>>>>>>t >>>>>>>i >>>>>>>o >>>>>>>n >>>>>>>+ >>>>>>>Interface >>>>>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688 >>>>>>> >>>>>>> Thanks >>>>>>> Parth >>>>>>> >>>>>>> From: Parth Brahmbhatt >>>>>>> <pbrahmbh...@hortonworks.com<mailto:pbrahmbh...@hortonworks.com>> >>>>>>> Date: Thursday, March 5, 2015 at 10:33 AM >>>>>>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>" >>>>>>> <dev@kafka.apache.org<mailto:dev@kafka.apache.org>> >>>>>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> KIP-11 is open for discussion , I have updated the wiki with the >>>>>>>design >>>>>>> and open questions. >>>>>>> >>>>>>> Thanks >>>>>>> Parth >>>>> >>>>> >>>> >>> >> > >
