Hi Gwen, A few comments below.
On Mon, Feb 1, 2016 at 4:30 PM, Gwen Shapira <g...@confluent.io> wrote: > Thanks for clarifying, Ismael and Rajini. And I'm sorry for reopenning a > point that was clearly discussed already. Your input is definitely welcome. :) There was an initial discussion in the KIP meeting, but it was understood that a wider and more detailed discussion was needed before we could agree on the right solution. 1) Having two different ways to decide on the protocol (port + negotiation) > is needlessly confusing for administrators. Its just one more complexity to > figure out when authentication using SASL is already the most complex > administrative task one has in Kafka (judging by the number of questions we > get). > Yes, this is definitely a concern. It would be good to contrast this with how the multiple ports option could look like (given pluggable mechanisms, it won't be as simple as the existing config for multiple ports). 2) Troubleshooting. Especially in customer-support (and mailing-list > support) environment. Asking for two configuration files and two netstat > results is a completely different story than using tcp dump (which requires > root privileges), catching the correct negotiation packets and decoding > them to figure out what went wrong. > Right. Could we mitigate this somewhat with appropriate logging since we control the negotiation process? Ismael P.S. It is interesting that Cassandra went in the other direction and made it possible to use a single port for both encrypted and non-encrypted traffic a few months ago: https://git1-us-west.apache.org/repos/asf?p=cassandra.git;a=commit;h=535c3ac7
