On Mon, Feb 1, 2016 at 7:04 PM, Gwen Shapira <g...@confluent.io> wrote:
> Looking at "existing solutions", it looks like Zookeeper allows plugging in > any SASL mechanism, but the server will only support one mechanism at a > time. > This was the original proposal from Rajini as that is enough for their needs. > If this is good enough for our use-case (do we actually need to support > multiple mechanisms at once?), it will simplify life a lot for us ( > https://cwiki.apache.org/confluence/display/ZOOKEEPER/Zookeeper+and+SASL) > The current thinking is that it would be useful to support multiple SASL mechanisms simultaneously. In the KIP meeting, Jun mentioned that companies sometimes support additional authentication mechanisms for partners, for example. It does make things more complex, as you say, so we need to be sure the complexity is worth it. Two more points: 1. It has been suggested that custom security protocol support is needed by some (KIP-44). Rajini enhanced KIP-43 so that a SASL mechanism with a custom provider can be used for this purpose instead. Given this, it seems a bit inconsistent and restrictive not to allow multiple SASL mechanisms simultaneously (we do allow SSL and SASL authentication simultaneously, after all). 2. The other option would be to support a single SASL mechanism simultaneously to start with and then extend this to multiple mechanisms simultaneously later (if and when needed). It seems like it would be harder to support the latter in the future if we go down this route, but maybe there are ways around this. Thoughts? Ismael