Thanks for your review, Ismael. First, I am no longer sure KIP-83 is worth keeping as KIP, I created it just before Rajini's https://cwiki.apache.org/confluence/display/KAFKA/KIP-85%3A+Dynamic+JAAS+configuration+for+Kafka+clients With KIP-85 as presented, my proposal has become a simple JIRA, there are no interface changes on top of KIP-85. So I'll have no objection if you want to retire it as part of your cleanup.
As for your comments : 1) We can change the map to use the Password object as a key in the LoginManager cache, so logging its content won't leak the key. Though I can't see why we would log the content of the cache. 2) If two clients use the same Jaas Config value, they will obtain the same LoginManager. No new concurrency issue would arise as this happens today with any two clients (Producers/Consumers) in the same process. 3) Based on most jaas.config samples I have seen for kerberos and sasl/plain, the text used as key should be no larger than 0.5k. Please let us know of any other concerns you may have, as IBM Message Hub is very eager to have the issue https://issues.apache.org/jira/browse/KAFKA-4180 merged in the next release (February timeframe 0.10.2 ? 0.11 ?). so we're waiting for Rajini's https://issues.apache.org/jira/browse/KAFKA-4259 on which our changes are based. thanks Edo -------------------------------------------------- Edoardo Comar IBM MessageHub eco...@uk.ibm.com IBM UK Ltd, Hursley Park, SO21 2JN IBM United Kingdom Limited Registered in England and Wales with number 741598 Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU From: Ismael Juma <ism...@juma.me.uk> To: dev@kafka.apache.org Date: 13/12/2016 12:49 Subject: Re: [DISCUSS] KIP-83 - Allow multiple SASL PLAIN authenticated Java clients in a single JVM process Sent by: isma...@gmail.com Thanks for the KIP. A few comments: 1. The suggestion is to use the JAAS config value as the key to the map in `LoginManager`. The config value can include passwords, so we could potentially end up leaking them if we log the keys of `LoginManager`. This seems a bit dangerous. 2. If someone uses the same JAAS config value in two clients, they'll get the same `JaasConfig`, which seems fine, but worth mentioning (it means that the `JaasConfig` has to be thread-safe). 3. How big can a JAAS config get? Is it an issue to use it as a map key? Probably not given how this is used, but worth covering in the KIP as well. Ismael On Tue, Sep 27, 2016 at 10:15 AM, Edoardo Comar <eco...@uk.ibm.com> wrote: > Hi, > I had a go at a KIP that addresses this JIRA > https://issues.apache.org/jira/browse/KAFKA-4180 > "Shared authentification with multiple actives Kafka producers/consumers" > > which is a limitation of the current Java client that we (IBM MessageHub) > get asked quite often lately. > > We will have a go at a PR soon, just as a proof of concept, but as it > introduces new public interfaces it needs a KIP. > > I'll welcome your input. > > Edo > -------------------------------------------------- > Edoardo Comar > MQ Cloud Technologies > eco...@uk.ibm.com > +44 (0)1962 81 5576 > IBM UK Ltd, Hursley Park, SO21 2JN > > IBM United Kingdom Limited Registered in England and Wales with number > 741598 Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 > 3AU > Unless stated otherwise above: > IBM United Kingdom Limited - Registered in England and Wales with number > 741598. > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU > Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
