Jun,
Thank you for reviewing the KIP. Answers below:
1. Yes, broker can specify *sasl.mechanism. *It is used for all client-mode
connections including that in inter-broker communication.
2. If *sasl.enabled.mechanisms* is not specified, the default value of
{'GSSAPI'} is used. If it is specified, only the protocols specified are
enabled. This enables brokers to be run with SASL without enabling GSSAPI
(as we do). Since GSSAPI requires complex Kerberos set up, it is useful to
have the ability to turn it off.
3. For the default SASL/PLAIN implementation included in Kafka, username
(authentication ID) is returned as principal.
I will update the KIP to clarify these points.
Thanks,
Rajini
On Mon, Mar 28, 2016 at 6:17 PM, Jun Rao <j...@confluent.io> wrote:
> Hi, Rajini,
>
> Sorry for the late response. The revised KIP looks good overall. Just a few
> minor comments below.
>
> 1. Since the broker can also act as a client too (for inter broker
> communication), sasl.mechanism can also be specified in the broker
> configuration, right?
> 2. Since we enable GSSAPI by default, is it true that one only needs to
> specify non-GSSAPI mechanisms in sasl.enabled.mechanisms?
> 3. For SASL/PLAIN, could we describe what the Principal will
> Authenticator.principal()
> return?
>
> I will also take a look at the patch. However, since we are getting pretty
> close to 0.10.0.0 release, I think we likely will have to leave this out of
> 0.10.0.0.
>
> Thanks,
>
> Jun
>
> On Thu, Mar 24, 2016 at 2:21 PM, Gwen Shapira <g...@confluent.io> wrote:
>
> > I'm afraid it will be a challenge.
> >
> > I see few options:
> > 1. Jun should be back in the office tomorrow. If he votes +1 and agrees
> > that the PR is ready to merge and is safe and important enough to
> > double-commit - this could get in yet.
> > 2. Same as above, but not in time for the Monday release candidate. In
> this
> > case, we can get it into 0.10.0.0 if we find other blockers and need to
> > roll-out another RC.
> > 3. (most likely) We will finish the vote and review but not in time for
> > 0.10.0.0. In this case, 0.10.1.0.0 should be out in around 3 month, and
> > we'll get it in there. You'll be in good company with KIP-35, KIP-4,
> KIP-48
> > and few other things that are close to done, are super critical but are
> > just not ready in time. Thats why we are trying to release more often.
> >
> > Gwen
> >
> > On Thu, Mar 24, 2016 at 2:08 PM, Rajini Sivaram <
> > rajinisiva...@googlemail.com> wrote:
> >
> > > Gwen,
> > >
> > > Ah, I clearly don't know the rules. So it looks like it would not
> really
> > be
> > > possible to get this into 0.10.0.0 after all.
> > >
> > > Rajini
> > >
> > > On Thu, Mar 24, 2016 at 8:38 PM, Gwen Shapira <g...@confluent.io>
> wrote:
> > >
> > > > Rajini,
> > > >
> > > > I think the vote didn't pass yet?
> > > > If I can see correctly, Harsha and I are the only committers who
> voted,
> > > so
> > > > we are missing a 3rd vote.
> > > >
> > > > Gwen
> > > >
> > > > On Thu, Mar 24, 2016 at 11:24 AM, Rajini Sivaram <
> > > > rajinisiva...@googlemail.com> wrote:
> > > >
> > > > > Gwen,
> > > > >
> > > > > Thank you. I have pinged Ismael, Harsha and Jun Rao for PR review.
> If
> > > any
> > > > > of them has time for reviewing the PR, I will update the PR over
> the
> > > > > weekend. If you can suggest any other reviewers, I can ping them
> too.
> > > > >
> > > > > Many thanks.
> > > > >
> > > > > On Thu, Mar 24, 2016 at 5:03 PM, Gwen Shapira <g...@confluent.io>
> > > wrote:
> > > > >
> > > > > > This can be discussed in the review.
> > > > > > If there's good test coverage, is low risk and passes review and
> > gets
> > > > > > merged before Monday morning...
> > > > > >
> > > > > > We won't be doing an extra release candidate just for this
> though.
> > > > > >
> > > > > > Gwen
> > > > > >
> > > > > > On Thu, Mar 24, 2016 at 1:21 AM, Rajini Sivaram <
> > > > > > rajinisiva...@googlemail.com> wrote:
> > > > > >
> > > > > > > Gwen,
> > > > > > >
> > > > > > > Is it still possible to include this in 0.10.0.0?
> > > > > > >
> > > > > > > Thanks,
> > > > > > >
> > > > > > > Rajini
> > > > > > >
> > > > > > > On Wed, Mar 23, 2016 at 11:08 PM, Gwen Shapira <
> > g...@confluent.io>
> > > > > > wrote:
> > > > > > >
> > > > > > > > Sorry! Got distracted by the impending release!
> > > > > > > >
> > > > > > > > +1 on the current revision of the KIP.
> > > > > > > >
> > > > > > > > On Wed, Mar 23, 2016 at 3:33 PM, Harsha <ka...@harsha.io>
> > wrote:
> > > > > > > >
> > > > > > > > > Any update on this. Gwen since the KIP is adjusted to
> address
> > > the
> > > > > > > > > pluggable classes we should make a move on this.
> > > > > > > > >
> > > > > > > > > Rajini,
> > > > > > > > > Can you restart the voting thread.
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > > Harsha
> > > > > > > > >
> > > > > > > > > On Wed, Mar 16, 2016, at 06:42 AM, Rajini Sivaram wrote:
> > > > > > > > > > As discussed in the KIP meeting yesterday, the scope of
> > > KIP-43
> > > > > has
> > > > > > > been
> > > > > > > > > > reduced so that it can be integrated into 0.10.0.0. The
> > > updated
> > > > > KIP
> > > > > > > is
> > > > > > > > > > here:
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43%3A+Kafka+SASL+enhancements
> > > > > > > > > > .
> > > > > > > > > >
> > > > > > > > > > Can we continue the vote on the updated KIP?
> > > > > > > > > >
> > > > > > > > > > Thank you,
> > > > > > > > > >
> > > > > > > > > > Rajini
> > > > > > > > > >
> > > > > > > > > > On Thu, Mar 10, 2016 at 2:09 AM, Gwen Shapira <
> > > > g...@confluent.io
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Harsha,
> > > > > > > > > > >
> > > > > > > > > > > Since you are clearly in favor of the KIP, do you mind
> > > > jumping
> > > > > > into
> > > > > > > > > > > the discussion thread and help me understand the
> decision
> > > > > behind
> > > > > > > the
> > > > > > > > > > > configuration parameters only allowing a single Login
> and
> > > > > > > > > > > CallbackHandler class? This seems too limiting to me,
> and
> > > > while
> > > > > > > > Rajini
> > > > > > > > > > > is trying hard to convince me otherwise, I remain
> > doubtful.
> > > > > > Perhaps
> > > > > > > > > > > (since we have similar experience with Hadoop), you can
> > > help
> > > > me
> > > > > > see
> > > > > > > > > > > what I am missing.
> > > > > > > > > > >
> > > > > > > > > > > Gwen
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Mar 9, 2016 at 12:02 PM, Harsha <
> ka...@harsha.io
> > >
> > > > > wrote:
> > > > > > > > > > > > +1 (binding)
> > > > > > > > > > > >
> > > > > > > > > > > > On Tue, Mar 8, 2016, at 02:37 AM, tao xiao wrote:
> > > > > > > > > > > >> +1 (non-binding)
> > > > > > > > > > > >>
> > > > > > > > > > > >> On Tue, 8 Mar 2016 at 05:33 Andrew Schofield <
> > > > > > > > > > > >> andrew_schofield_j...@outlook.com> wrote:
> > > > > > > > > > > >>
> > > > > > > > > > > >> > +1 (non-binding)
> > > > > > > > > > > >> >
> > > > > > > > > > > >> > ----------------------------------------
> > > > > > > > > > > >> > > From: ism...@juma.me.uk
> > > > > > > > > > > >> > > Date: Mon, 7 Mar 2016 19:52:11 +0000
> > > > > > > > > > > >> > > Subject: Re: [VOTE] KIP-43: Kafka SASL
> > enhancements
> > > > > > > > > > > >> > > To: dev@kafka.apache.org
> > > > > > > > > > > >> > >
> > > > > > > > > > > >> > > +1 (non-binding)
> > > > > > > > > > > >> > >
> > > > > > > > > > > >> > > On Thu, Mar 3, 2016 at 10:37 AM, Rajini Sivaram
> <
> > > > > > > > > > > >> > > rajinisiva...@googlemail.com> wrote:
> > > > > > > > > > > >> > >
> > > > > > > > > > > >> > >> I would like to start the voting process for
> > > *KIP-43:
> > > > > > Kafka
> > > > > > > > > SASL
> > > > > > > > > > > >> > >> enhancements*. This KIP extends the SASL
> > > > implementation
> > > > > > in
> > > > > > > > > Kafka to
> > > > > > > > > > > >> > support
> > > > > > > > > > > >> > >> new SASL mechanisms to enable Kafka to be
> > > integrated
> > > > > with
> > > > > > > > > different
> > > > > > > > > > > >> > >> authentication servers.
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> > >> The KIP is available here for reference:
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> > >> And here's is a link to the discussion on the
> > > mailing
> > > > > > list:
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> >
> > > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://mail-archives.apache.org/mod_mbox/kafka-dev/201601.mbox/%3CCAOJcB39b9Vy7%3DZEM3tLw2zarCS4A_s-%2BU%2BC%3DuEcWs0712UaYrQ%40mail.gmail.com%3E
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> > >> Thank you...
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> > >> Regards,
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> > >> Rajini
> > > > > > > > > > > >> > >>
> > > > > > > > > > > >> >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > Rajini
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > >
> > > > > > > Rajini
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > >
> > > > > Rajini
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Rajini
> > >
> >
>
--
Regards,
Rajini
