Rajini,
Thanks for the update. +1 on the proposal.
Jun
On Tue, Mar 29, 2016 at 3:32 AM, Rajini Sivaram <
rajinisiva...@googlemail.com> wrote:
> Jun,
>
> Thank you for reviewing the KIP. Answers below:
>
> 1. Yes, broker can specify *sasl.mechanism. *It is used for all client-mode
> connections including that in inter-broker communication.
>
> 2. If *sasl.enabled.mechanisms* is not specified, the default value of
> {'GSSAPI'} is used. If it is specified, only the protocols specified are
> enabled. This enables brokers to be run with SASL without enabling GSSAPI
> (as we do). Since GSSAPI requires complex Kerberos set up, it is useful to
> have the ability to turn it off.
>
> 3. For the default SASL/PLAIN implementation included in Kafka, username
> (authentication ID) is returned as principal.
>
> I will update the KIP to clarify these points.
>
> Thanks,
>
> Rajini
>
>
> On Mon, Mar 28, 2016 at 6:17 PM, Jun Rao <j...@confluent.io> wrote:
>
> > Hi, Rajini,
> >
> > Sorry for the late response. The revised KIP looks good overall. Just a
> few
> > minor comments below.
> >
> > 1. Since the broker can also act as a client too (for inter broker
> > communication), sasl.mechanism can also be specified in the broker
> > configuration, right?
> > 2. Since we enable GSSAPI by default, is it true that one only needs to
> > specify non-GSSAPI mechanisms in sasl.enabled.mechanisms?
> > 3. For SASL/PLAIN, could we describe what the Principal will
> > Authenticator.principal()
> > return?
> >
> > I will also take a look at the patch. However, since we are getting
> pretty
> > close to 0.10.0.0 release, I think we likely will have to leave this out
> of
> > 0.10.0.0.
> >
> > Thanks,
> >
> > Jun
> >
> > On Thu, Mar 24, 2016 at 2:21 PM, Gwen Shapira <g...@confluent.io> wrote:
> >
> > > I'm afraid it will be a challenge.
> > >
> > > I see few options:
> > > 1. Jun should be back in the office tomorrow. If he votes +1 and agrees
> > > that the PR is ready to merge and is safe and important enough to
> > > double-commit - this could get in yet.
> > > 2. Same as above, but not in time for the Monday release candidate. In
> > this
> > > case, we can get it into 0.10.0.0 if we find other blockers and need to
> > > roll-out another RC.
> > > 3. (most likely) We will finish the vote and review but not in time for
> > > 0.10.0.0. In this case, 0.10.1.0.0 should be out in around 3 month, and
> > > we'll get it in there. You'll be in good company with KIP-35, KIP-4,
> > KIP-48
> > > and few other things that are close to done, are super critical but are
> > > just not ready in time. Thats why we are trying to release more often.
> > >
> > > Gwen
> > >
> > > On Thu, Mar 24, 2016 at 2:08 PM, Rajini Sivaram <
> > > rajinisiva...@googlemail.com> wrote:
> > >
> > > > Gwen,
> > > >
> > > > Ah, I clearly don't know the rules. So it looks like it would not
> > really
> > > be
> > > > possible to get this into 0.10.0.0 after all.
> > > >
> > > > Rajini
> > > >
> > > > On Thu, Mar 24, 2016 at 8:38 PM, Gwen Shapira <g...@confluent.io>
> > wrote:
> > > >
> > > > > Rajini,
> > > > >
> > > > > I think the vote didn't pass yet?
> > > > > If I can see correctly, Harsha and I are the only committers who
> > voted,
> > > > so
> > > > > we are missing a 3rd vote.
> > > > >
> > > > > Gwen
> > > > >
> > > > > On Thu, Mar 24, 2016 at 11:24 AM, Rajini Sivaram <
> > > > > rajinisiva...@googlemail.com> wrote:
> > > > >
> > > > > > Gwen,
> > > > > >
> > > > > > Thank you. I have pinged Ismael, Harsha and Jun Rao for PR
> review.
> > If
> > > > any
> > > > > > of them has time for reviewing the PR, I will update the PR over
> > the
> > > > > > weekend. If you can suggest any other reviewers, I can ping them
> > too.
> > > > > >
> > > > > > Many thanks.
> > > > > >
> > > > > > On Thu, Mar 24, 2016 at 5:03 PM, Gwen Shapira <g...@confluent.io
> >
> > > > wrote:
> > > > > >
> > > > > > > This can be discussed in the review.
> > > > > > > If there's good test coverage, is low risk and passes review
> and
> > > gets
> > > > > > > merged before Monday morning...
> > > > > > >
> > > > > > > We won't be doing an extra release candidate just for this
> > though.
> > > > > > >
> > > > > > > Gwen
> > > > > > >
> > > > > > > On Thu, Mar 24, 2016 at 1:21 AM, Rajini Sivaram <
> > > > > > > rajinisiva...@googlemail.com> wrote:
> > > > > > >
> > > > > > > > Gwen,
> > > > > > > >
> > > > > > > > Is it still possible to include this in 0.10.0.0?
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > >
> > > > > > > > Rajini
> > > > > > > >
> > > > > > > > On Wed, Mar 23, 2016 at 11:08 PM, Gwen Shapira <
> > > g...@confluent.io>
> > > > > > > wrote:
> > > > > > > >
> > > > > > > > > Sorry! Got distracted by the impending release!
> > > > > > > > >
> > > > > > > > > +1 on the current revision of the KIP.
> > > > > > > > >
> > > > > > > > > On Wed, Mar 23, 2016 at 3:33 PM, Harsha <ka...@harsha.io>
> > > wrote:
> > > > > > > > >
> > > > > > > > > > Any update on this. Gwen since the KIP is adjusted to
> > address
> > > > the
> > > > > > > > > > pluggable classes we should make a move on this.
> > > > > > > > > >
> > > > > > > > > > Rajini,
> > > > > > > > > > Can you restart the voting thread.
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > > Harsha
> > > > > > > > > >
> > > > > > > > > > On Wed, Mar 16, 2016, at 06:42 AM, Rajini Sivaram wrote:
> > > > > > > > > > > As discussed in the KIP meeting yesterday, the scope of
> > > > KIP-43
> > > > > > has
> > > > > > > > been
> > > > > > > > > > > reduced so that it can be integrated into 0.10.0.0. The
> > > > updated
> > > > > > KIP
> > > > > > > > is
> > > > > > > > > > > here:
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43%3A+Kafka+SASL+enhancements
> > > > > > > > > > > .
> > > > > > > > > > >
> > > > > > > > > > > Can we continue the vote on the updated KIP?
> > > > > > > > > > >
> > > > > > > > > > > Thank you,
> > > > > > > > > > >
> > > > > > > > > > > Rajini
> > > > > > > > > > >
> > > > > > > > > > > On Thu, Mar 10, 2016 at 2:09 AM, Gwen Shapira <
> > > > > g...@confluent.io
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Harsha,
> > > > > > > > > > > >
> > > > > > > > > > > > Since you are clearly in favor of the KIP, do you
> mind
> > > > > jumping
> > > > > > > into
> > > > > > > > > > > > the discussion thread and help me understand the
> > decision
> > > > > > behind
> > > > > > > > the
> > > > > > > > > > > > configuration parameters only allowing a single Login
> > and
> > > > > > > > > > > > CallbackHandler class? This seems too limiting to me,
> > and
> > > > > while
> > > > > > > > > Rajini
> > > > > > > > > > > > is trying hard to convince me otherwise, I remain
> > > doubtful.
> > > > > > > Perhaps
> > > > > > > > > > > > (since we have similar experience with Hadoop), you
> can
> > > > help
> > > > > me
> > > > > > > see
> > > > > > > > > > > > what I am missing.
> > > > > > > > > > > >
> > > > > > > > > > > > Gwen
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Mar 9, 2016 at 12:02 PM, Harsha <
> > ka...@harsha.io
> > > >
> > > > > > wrote:
> > > > > > > > > > > > > +1 (binding)
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Tue, Mar 8, 2016, at 02:37 AM, tao xiao wrote:
> > > > > > > > > > > > >> +1 (non-binding)
> > > > > > > > > > > > >>
> > > > > > > > > > > > >> On Tue, 8 Mar 2016 at 05:33 Andrew Schofield <
> > > > > > > > > > > > >> andrew_schofield_j...@outlook.com> wrote:
> > > > > > > > > > > > >>
> > > > > > > > > > > > >> > +1 (non-binding)
> > > > > > > > > > > > >> >
> > > > > > > > > > > > >> > ----------------------------------------
> > > > > > > > > > > > >> > > From: ism...@juma.me.uk
> > > > > > > > > > > > >> > > Date: Mon, 7 Mar 2016 19:52:11 +0000
> > > > > > > > > > > > >> > > Subject: Re: [VOTE] KIP-43: Kafka SASL
> > > enhancements
> > > > > > > > > > > > >> > > To: dev@kafka.apache.org
> > > > > > > > > > > > >> > >
> > > > > > > > > > > > >> > > +1 (non-binding)
> > > > > > > > > > > > >> > >
> > > > > > > > > > > > >> > > On Thu, Mar 3, 2016 at 10:37 AM, Rajini
> Sivaram
> > <
> > > > > > > > > > > > >> > > rajinisiva...@googlemail.com> wrote:
> > > > > > > > > > > > >> > >
> > > > > > > > > > > > >> > >> I would like to start the voting process for
> > > > *KIP-43:
> > > > > > > Kafka
> > > > > > > > > > SASL
> > > > > > > > > > > > >> > >> enhancements*. This KIP extends the SASL
> > > > > implementation
> > > > > > > in
> > > > > > > > > > Kafka to
> > > > > > > > > > > > >> > support
> > > > > > > > > > > > >> > >> new SASL mechanisms to enable Kafka to be
> > > > integrated
> > > > > > with
> > > > > > > > > > different
> > > > > > > > > > > > >> > >> authentication servers.
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> > >> The KIP is available here for reference:
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> >
> > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> > >> And here's is a link to the discussion on the
> > > > mailing
> > > > > > > list:
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> >
> > > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://mail-archives.apache.org/mod_mbox/kafka-dev/201601.mbox/%3CCAOJcB39b9Vy7%3DZEM3tLw2zarCS4A_s-%2BU%2BC%3DuEcWs0712UaYrQ%40mail.gmail.com%3E
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> > >> Thank you...
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> > >> Regards,
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> > >> Rajini
> > > > > > > > > > > > >> > >>
> > > > > > > > > > > > >> >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > Regards,
> > > > > > > > > > >
> > > > > > > > > > > Rajini
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Rajini
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > >
> > > > > > Rajini
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Rajini
> > > >
> > >
> >
>
>
>
> --
> Regards,
>
> Rajini
>
