Looking at "existing solutions", it looks like Zookeeper allows plugging in any SASL mechanism, but the server will only support one mechanism at a time. If this is good enough for our use-case (do we actually need to support multiple mechanisms at once?), it will simplify life a lot for us ( https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL)
On Mon, Feb 1, 2016 at 8:47 AM, Ismael Juma <ism...@juma.me.uk> wrote: > Hi Gwen, > > A few comments below. > > On Mon, Feb 1, 2016 at 4:30 PM, Gwen Shapira <g...@confluent.io> wrote: > > > Thanks for clarifying, Ismael and Rajini. And I'm sorry for reopenning a > > point that was clearly discussed already. > > > Your input is definitely welcome. :) There was an initial discussion in the > KIP meeting, but it was understood that a wider and more detailed > discussion was needed before we could agree on the right solution. > > 1) Having two different ways to decide on the protocol (port + negotiation) > > is needlessly confusing for administrators. Its just one more complexity > to > > figure out when authentication using SASL is already the most complex > > administrative task one has in Kafka (judging by the number of questions > we > > get). > > > > Yes, this is definitely a concern. It would be good to contrast this with > how the multiple ports option could look like (given pluggable mechanisms, > it won't be as simple as the existing config for multiple ports). > > 2) Troubleshooting. Especially in customer-support (and mailing-list > > support) environment. Asking for two configuration files and two netstat > > results is a completely different story than using tcp dump (which > requires > > root privileges), catching the correct negotiation packets and decoding > > them to figure out what went wrong. > > > > Right. Could we mitigate this somewhat with appropriate logging since we > control the negotiation process? > > Ismael > > P.S. It is interesting that Cassandra went in the other direction and made > it possible to use a single port for both encrypted and non-encrypted > traffic a few months ago: > > > https://git1-us-west.apache.org/repos/asf?p=cassandra.git;a=commit;h=535c3ac7 >