[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15131490#comment-15131490 ]
ASF GitHub Bot commented on KAFKA-3186: --------------------------------------- GitHub user SinghAsDev opened a pull request: https://github.com/apache/kafka/pull/861 KAFKA-3186: Make Kafka authorizer aware of principal types it supports. You can merge this pull request into a Git repository by running: $ git pull https://github.com/SinghAsDev/kafka KAFKA-3186 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/861.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #861 ---- commit 0617c75ee808d58009afdaf976fc1ae455cfb2e8 Author: Ashish Singh <asi...@cloudera.com> Date: 2016-02-04T01:06:29Z KAFKA-3186: Make Kafka authorizer aware of principal types it supports. ---- > Kafka authorizer should be aware of principal types it supports. > ---------------------------------------------------------------- > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement > Reporter: Ashish K Singh > Assignee: Ashish K Singh > > Currently, Kafka authorizer is agnostic of principal types it supports, so > are the acls CRUD methods in {{kafka.security.auth.Authorizer}}. The intent > behind is to keep Kafka authorization pluggable, which is really great. > However, this leads to following issues. > 1. {{kafka-acls.sh}} supports pluggable authorizer and custom principals, > however is some what integrated with {{SimpleAclsAuthorizer}}. The help > messages has details which might not be true for a custom authorizer. For > instance, assuming User is a supported PrincipalType. > 2. Acls CRUD methods perform no check on validity of acls, as they are not > aware of what principal types the support. This opens up space for lots of > user errors, KAFKA-3097 is an instance. > I suggest we add a {{getSupportedPrincipalTypes}} method to authorizer and > use that for acls verification during acls CRUD, and make {{kafka-acls.sh}} > help messages more generic. -- This message was sent by Atlassian JIRA (v6.3.4#6332)