Re: [VOTE] KIP-111 Kafka should preserve the Principal generated by the PrincipalBuilder while processing the request received on socket channel, on the broker.

Mon, 20 Mar 2017 07:44:02 -0700 

Hi, Mayuresh,

One reason to have KafkaPrincipal in ACL is that we can extend it to
support group in the future. Have you thought about how to support that in
your new proposal?

Another reason that we had KafkaPrincipal is simplicity. It can be
constructed from a simple string and makes matching easier. If we
expose java.security.Principal,
then I guess that when an ACL is set, we have to be able to construct
a java.security.Principal
from some string to match the java.security.Principal generated from the
SSL or SASL library. How do we make sure that the same type of
java.security.Principal
can be created and will match?

Thanks,

Jun


On Wed, Mar 15, 2017 at 8:48 PM, Mayuresh Gharat <gharatmayures...@gmail.com
> wrote:

> Hi Jun,
>
> Sorry for the delayed reply.
> I agree that the easiest thing will be to add an additional field in the
> Session class and we should be OK.
> But having a KafkaPrincipal and java Principal with in the same class looks
> little weird.
>
> So we can do this and slowly deprecate the usage of KafkaPrincipal in
> public api's.
>
> We add new apis and make changes to the existing apis as follows :
>
>
>    - Changes to Session class :
>
> @Deprecated
> case class Session(principal: KafkaPrincipal, clientAddress: InetAddress) {
>     val sanitizedUser = QuotaId.sanitize(principal.getName)
> }
>
>
> *@Deprecated ...... (NEW)*
>
>
> *case class Session(principal: KafkaPrincipal, clientAddress: InetAddress,
> channelPrincipal: Java.security.Principal) {    val sanitizedUser =
> QuotaId.sanitize(principal.getName)}*
>
> *(NEW)*
>
>
> *case class Session(principal: Java.security.Principal, clientAddress:
> InetAddress) {    val sanitizedUser = QuotaId.sanitize(principal.get
> Name)}*
>
>
>    - Changes to Authorizer Interface :
>
> @Deprecated
> def getAcls(principal: KafkaPrincipal): Map[Resource, Set[Acl]]
>
> *(NEW)*
> *def getAcls(principal: Java.security.Principal): Map[Resource, Set[Acl]]*
>
>
>    - Changes to Acl class :
>
> @Deprecated
> case class Acl(principal: KafkaPrincipal, permissionType: PermissionType,
> host: String, operation: Operation)
>
>            *(NEW)*
>
>
> *case class Acl(principal: Java.security.Principal, permissionType:
> PermissionType, host: String, operation: Operation) *
> The one in Bold are the new api's. We will remove them eventually, probably
> in next major release.
> We don't want to get rid of KafkaPrincipal class and it will be used in the
> same way as it does right now for out of box authorizer and commandline
> tool. We would only be removing its direct usage from public apis.
> Doing the above deprecation will help us to support other implementation of
> Java.security.Principal as well which seems necessary especially since
> Kafka provides pluggable Authorizer and PrincipalBuilder.
>
> Let me know your thoughts on this.
>
> Thanks,
>
> Mayuresh
>
> On Tue, Feb 28, 2017 at 2:33 PM, Mayuresh Gharat <
> gharatmayures...@gmail.com
> > wrote:
>
> > Hi Jun,
> >
> > Sure.
> > I had an offline discussion with Joel on how we can deprecate the
> > KafkaPrincipal from  Session and Authorizer.
> > I will update the KIP to see if we can address all the concerns here. If
> > not we can keep the KafkaPrincipal.
> >
> > Thanks,
> >
> > Mayuresh
> >
> > On Tue, Feb 28, 2017 at 1:53 PM, Jun Rao <j...@confluent.io> wrote:
> >
> >> Hi, Joel,
> >>
> >> Good point on the getAcls() method. KafkaPrincipal is also tied to ACL,
> >> which is used in pretty much every method in Authorizer. Now, I am not
> >> sure
> >> if it's easy to deprecate KafkaPrincipal.
> >>
> >> Hi, Mayuresh,
> >>
> >> Given the above, it seems that the easiest thing is to add a new
> Principal
> >> field in Session. We want to make it clear that it's ignored in the
> >> default
> >> implementation, but a customizer authorizer could take advantage of
> that.
> >>
> >> Thanks,
> >>
> >> Jun
> >>
> >> On Tue, Feb 28, 2017 at 10:52 AM, Joel Koshy <jjkosh...@gmail.com>
> wrote:
> >>
> >> > If we deprecate KafkaPrincipal, then the Authorizer interface will
> also
> >> > need to change - i.e., deprecate the getAcls(KafkaPrincipal) method.
> >> >
> >> > On Tue, Feb 28, 2017 at 10:11 AM, Mayuresh Gharat <
> >> > gharatmayures...@gmail.com> wrote:
> >> >
> >> > > Hi Jun/Ismael,
> >> > >
> >> > > Thanks for the comments.
> >> > >
> >> > > I agree.
> >> > > What I was thinking was, we get the KIP passed now and wait till
> major
> >> > > kafka version release. We can then make this change, but for now we
> >> can
> >> > > wait. Does that work?
> >> > >
> >> > > If there are concerns, we can make the addition of extra field of
> type
> >> > > Principal to Session and then deprecate the KafkaPrincipal later.
> >> > >
> >> > > I am fine either ways. What do you think?
> >> > >
> >> > > Thanks,
> >> > >
> >> > > Mayuresh
> >> > >
> >> > > On Tue, Feb 28, 2017 at 9:53 AM, Jun Rao <j...@confluent.io> wrote:
> >> > >
> >> > > > Hi, Ismael,
> >> > > >
> >> > > > Good point on compatibility.
> >> > > >
> >> > > > Hi, Mayuresh,
> >> > > >
> >> > > > Given that, it seems that it's better to just add the raw
> principal
> >> as
> >> > a
> >> > > > new field in Session for now and deprecate the KafkaPrincipal
> field
> >> in
> >> > > the
> >> > > > future if needed?
> >> > > >
> >> > > > Thanks,
> >> > > >
> >> > > > Jun
> >> > > >
> >> > > > On Mon, Feb 27, 2017 at 5:05 PM, Ismael Juma <ism...@juma.me.uk>
> >> > wrote:
> >> > > >
> >> > > > > Breaking clients without a deprecation period is something we
> >> only do
> >> > > as
> >> > > > a
> >> > > > > last resort. Is there strong justification for doing it here?
> >> > > > >
> >> > > > > Ismael
> >> > > > >
> >> > > > > On Mon, Feb 27, 2017 at 11:28 PM, Mayuresh Gharat <
> >> > > > > gharatmayures...@gmail.com> wrote:
> >> > > > >
> >> > > > > > Hi Ismael,
> >> > > > > >
> >> > > > > > Yeah. I agree that it might break the clients if the user is
> >> using
> >> > > the
> >> > > > > > kafkaPrincipal directly. But since KafkaPrincipal is also a
> Java
> >> > > > > Principal
> >> > > > > > and I think, it would be a right thing to do replace the
> >> > > kafkaPrincipal
> >> > > > > > with Java Principal at this stage than later.
> >> > > > > >
> >> > > > > > We can mention in the KIP, that it would break the clients
> that
> >> are
> >> > > > using
> >> > > > > > the KafkaPrincipal directly and they will have to use the
> >> > > PrincipalType
> >> > > > > > directly, if they are using it as its only one value and use
> the
> >> > name
> >> > > > > from
> >> > > > > > the Principal directly or create a KafkaPrincipal from Java
> >> > Principal
> >> > > > as
> >> > > > > we
> >> > > > > > are doing in SimpleAclAuthorizer with this KIP.
> >> > > > > >
> >> > > > > > Thanks,
> >> > > > > >
> >> > > > > > Mayuresh
> >> > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > > On Mon, Feb 27, 2017 at 10:56 AM, Ismael Juma <
> >> ism...@juma.me.uk>
> >> > > > wrote:
> >> > > > > >
> >> > > > > > > Hi Mayuresh,
> >> > > > > > >
> >> > > > > > > Sorry for the delay. The updated KIP states that there is no
> >> > > > > > compatibility
> >> > > > > > > impact, but that doesn't seem right. The fact that we
> changed
> >> the
> >> > > > type
> >> > > > > of
> >> > > > > > > Session.principal to `Principal` means that any code that
> >> expects
> >> > > it
> >> > > > to
> >> > > > > > be
> >> > > > > > > `KafkaPrincipal` will break. Either because of declared
> types
> >> > > > (likely)
> >> > > > > or
> >> > > > > > > if it accesses `getPrincipalType` (unlikely since the value
> is
> >> > > always
> >> > > > > the
> >> > > > > > > same). It's a bit annoying, but we should add a new field to
> >> > > > `Session`
> >> > > > > > with
> >> > > > > > > the original principal. We can potentially deprecate the
> >> existing
> >> > > > one,
> >> > > > > if
> >> > > > > > > we're sure we don't need it (or we can leave it for now).
> >> > > > > > >
> >> > > > > > > Ismael
> >> > > > > > >
> >> > > > > > > On Mon, Feb 27, 2017 at 6:40 PM, Mayuresh Gharat <
> >> > > > > > > gharatmayures...@gmail.com
> >> > > > > > > > wrote:
> >> > > > > > >
> >> > > > > > > > Hi Ismael, Joel, Becket
> >> > > > > > > >
> >> > > > > > > > Would you mind taking a look at this. We require 2 more
> >> binding
> >> > > > votes
> >> > > > > > for
> >> > > > > > > > the KIP to pass.
> >> > > > > > > >
> >> > > > > > > > Thanks,
> >> > > > > > > >
> >> > > > > > > > Mayuresh
> >> > > > > > > >
> >> > > > > > > > On Thu, Feb 23, 2017 at 10:57 AM, Dong Lin <
> >> > lindon...@gmail.com>
> >> > > > > > wrote:
> >> > > > > > > >
> >> > > > > > > > > +1 (non-binding)
> >> > > > > > > > >
> >> > > > > > > > > On Wed, Feb 22, 2017 at 10:52 PM, Manikumar <
> >> > > > > > manikumar.re...@gmail.com
> >> > > > > > > >
> >> > > > > > > > > wrote:
> >> > > > > > > > >
> >> > > > > > > > > > +1 (non-binding)
> >> > > > > > > > > >
> >> > > > > > > > > > On Thu, Feb 23, 2017 at 3:27 AM, Mayuresh Gharat <
> >> > > > > > > > > > gharatmayures...@gmail.com
> >> > > > > > > > > > > wrote:
> >> > > > > > > > > >
> >> > > > > > > > > > > Hi Jun,
> >> > > > > > > > > > >
> >> > > > > > > > > > > Thanks a lot for the comments and reviews.
> >> > > > > > > > > > > I agree we should log the username.
> >> > > > > > > > > > > What I meant by creating KafkaPrincipal was, after
> >> this
> >> > KIP
> >> > > > we
> >> > > > > > > would
> >> > > > > > > > > not
> >> > > > > > > > > > be
> >> > > > > > > > > > > required to create KafkaPrincipal and if we want to
> >> > > maintain
> >> > > > > the
> >> > > > > > > old
> >> > > > > > > > > > > logging, we will have to create it as we do today.
> >> > > > > > > > > > > I will take care that we specify the Principal name
> in
> >> > the
> >> > > > log.
> >> > > > > > > > > > >
> >> > > > > > > > > > > Thanks again for all the reviews.
> >> > > > > > > > > > >
> >> > > > > > > > > > > Thanks,
> >> > > > > > > > > > >
> >> > > > > > > > > > > Mayuresh
> >> > > > > > > > > > >
> >> > > > > > > > > > > On Wed, Feb 22, 2017 at 1:45 PM, Jun Rao <
> >> > j...@confluent.io
> >> > > >
> >> > > > > > wrote:
> >> > > > > > > > > > >
> >> > > > > > > > > > > > Hi, Mayuresh,
> >> > > > > > > > > > > >
> >> > > > > > > > > > > > For logging the user name, we could do either way.
> >> We
> >> > > just
> >> > > > > need
> >> > > > > > > to
> >> > > > > > > > > make
> >> > > > > > > > > > > > sure the expected user name is logged. Also,
> >> currently,
> >> > > we
> >> > > > > are
> >> > > > > > > > > already
> >> > > > > > > > > > > > creating a KafkaPrincipal on every request. +1 on
> >> the
> >> > > > latest
> >> > > > > > KIP.
> >> > > > > > > > > > > >
> >> > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > >
> >> > > > > > > > > > > > Jun
> >> > > > > > > > > > > >
> >> > > > > > > > > > > >
> >> > > > > > > > > > > > On Tue, Feb 21, 2017 at 8:05 PM, Mayuresh Gharat <
> >> > > > > > > > > > > > gharatmayures...@gmail.com
> >> > > > > > > > > > > > > wrote:
> >> > > > > > > > > > > >
> >> > > > > > > > > > > > > Hi Jun,
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > Thanks for the comments.
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > I will mention in the KIP : how this change
> >> doesn't
> >> > > > affect
> >> > > > > > the
> >> > > > > > > > > > default
> >> > > > > > > > > > > > > authorizer implementation.
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > Regarding, Currently, we log the principal name
> in
> >> > the
> >> > > > > > request
> >> > > > > > > > log
> >> > > > > > > > > in
> >> > > > > > > > > > > > > RequestChannel, which has the format of
> >> > "principalType
> >> > > +
> >> > > > > > > > SEPARATOR
> >> > > > > > > > > +
> >> > > > > > > > > > > > > name;".
> >> > > > > > > > > > > > > It would be good if we can keep the same
> >> convention
> >> > > after
> >> > > > > > this
> >> > > > > > > > KIP.
> >> > > > > > > > > > One
> >> > > > > > > > > > > > way
> >> > > > > > > > > > > > > to do that is to convert java.security.Principal
> >> to
> >> > > > > > > > KafkaPrincipal
> >> > > > > > > > > > for
> >> > > > > > > > > > > > > logging the requests.
> >> > > > > > > > > > > > > --- > This would mean we have to create a new
> >> > > > > KafkaPrincipal
> >> > > > > > on
> >> > > > > > > > > each
> >> > > > > > > > > > > > > request. Would it be OK to just specify the name
> >> of
> >> > the
> >> > > > > > > > principal.
> >> > > > > > > > > > > > > Is there any major reason, we don't want to
> change
> >> > the
> >> > > > > > logging
> >> > > > > > > > > > format?
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > Mayuresh
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > On Mon, Feb 20, 2017 at 10:18 PM, Jun Rao <
> >> > > > > j...@confluent.io>
> >> > > > > > > > > wrote:
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > Hi, Mayuresh,
> >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > Thanks for the updated KIP. A couple of more
> >> > > comments.
> >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > 1. Do we convert java.security.Principal to
> >> > > > > KafkaPrincipal
> >> > > > > > > for
> >> > > > > > > > > > > > > > authorization check in SimpleAclAuthorizer? If
> >> so,
> >> > it
> >> > > > > would
> >> > > > > > > be
> >> > > > > > > > > > useful
> >> > > > > > > > > > > > to
> >> > > > > > > > > > > > > > mention that in the wiki so that people can
> >> > > understand
> >> > > > > how
> >> > > > > > > this
> >> > > > > > > > > > > change
> >> > > > > > > > > > > > > > doesn't affect the default authorizer
> >> > implementation.
> >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > 2. Currently, we log the principal name in the
> >> > > request
> >> > > > > log
> >> > > > > > in
> >> > > > > > > > > > > > > > RequestChannel, which has the format of
> >> > > "principalType
> >> > > > +
> >> > > > > > > > > SEPARATOR
> >> > > > > > > > > > +
> >> > > > > > > > > > > > > > name;".
> >> > > > > > > > > > > > > > It would be good if we can keep the same
> >> convention
> >> > > > after
> >> > > > > > > this
> >> > > > > > > > > KIP.
> >> > > > > > > > > > > One
> >> > > > > > > > > > > > > way
> >> > > > > > > > > > > > > > to do that is to convert
> >> java.security.Principal to
> >> > > > > > > > > KafkaPrincipal
> >> > > > > > > > > > > for
> >> > > > > > > > > > > > > > logging the requests.
> >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > Jun
> >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 5:35 PM, Mayuresh
> >> Gharat <
> >> > > > > > > > > > > > > > gharatmayures...@gmail.com
> >> > > > > > > > > > > > > > > wrote:
> >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > Hi Jun,
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > I have updated the KIP. Would you mind
> taking
> >> > > another
> >> > > > > > look?
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > Mayuresh
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 4:42 PM, Mayuresh
> >> Gharat
> >> > <
> >> > > > > > > > > > > > > > > gharatmayures...@gmail.com
> >> > > > > > > > > > > > > > > > wrote:
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > > Hi Jun,
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > > Sure sounds good to me.
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > > Mayuresh
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 1:54 PM, Jun Rao <
> >> > > > > > > j...@confluent.io
> >> > > > > > > > >
> >> > > > > > > > > > > wrote:
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> Hi, Mani,
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >> Good point on using PrincipalBuilder for
> >> SASL.
> >> > > It
> >> > > > > > seems
> >> > > > > > > > that
> >> > > > > > > > > > > > > > > >> PrincipalBuilder already has access to
> >> > > > > Authenticator.
> >> > > > > > > So,
> >> > > > > > > > we
> >> > > > > > > > > > > could
> >> > > > > > > > > > > > > > just
> >> > > > > > > > > > > > > > > >> enable that in SaslChannelBuilder. We
> >> probably
> >> > > > could
> >> > > > > > do
> >> > > > > > > > that
> >> > > > > > > > > > in
> >> > > > > > > > > > > a
> >> > > > > > > > > > > > > > > separate
> >> > > > > > > > > > > > > > > >> KIP?
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >> Hi, Mayuresh,
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >> If you don't think there is a concrete
> use
> >> > case
> >> > > > for
> >> > > > > > > using
> >> > > > > > > > > > > > > > > >> PrincipalBuilder in
> >> > > > > > > > > > > > > > > >> kafka-acls.sh, perhaps we could do the
> >> simpler
> >> > > > > > approach
> >> > > > > > > > for
> >> > > > > > > > > > now?
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >> Thanks,
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >> Jun
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >> On Fri, Feb 17, 2017 at 12:23 PM,
> Mayuresh
> >> > > Gharat
> >> > > > <
> >> > > > > > > > > > > > > > > >> gharatmayures...@gmail.com> wrote:
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >> > @Manikumar,
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> > Can you give an example how you are
> >> planning
> >> > > to
> >> > > > > use
> >> > > > > > > > > > > > > > PrincipalBuilder?
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> > @Jun
> >> > > > > > > > > > > > > > > >> > Yes, that is right. To give a brief
> >> > overview,
> >> > > we
> >> > > > > > just
> >> > > > > > > > > > extract
> >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > cert
> >> > > > > > > > > > > > > > > >> and
> >> > > > > > > > > > > > > > > >> > hand it over to a third party library
> for
> >> > > > > creating a
> >> > > > > > > > > > > Principal.
> >> > > > > > > > > > > > So
> >> > > > > > > > > > > > > > we
> >> > > > > > > > > > > > > > > >> > cannot create a Principal from just a
> >> > string.
> >> > > > > > > > > > > > > > > >> > The main motive behind adding the
> >> > > > PrincipalBuilder
> >> > > > > > for
> >> > > > > > > > > > > > > kafk-acls.sh
> >> > > > > > > > > > > > > > > was
> >> > > > > > > > > > > > > > > >> > that someone else (who can generate a
> >> > > Principal
> >> > > > > from
> >> > > > > > > map
> >> > > > > > > > > of
> >> > > > > > > > > > > > > > propertie,
> >> > > > > > > > > > > > > > > >> > <String, String> for example) can use
> it.
> >> > > > > > > > > > > > > > > >> > As I said, Linkedin is fine with not
> >> making
> >> > > any
> >> > > > > > > changes
> >> > > > > > > > to
> >> > > > > > > > > > > > > > > Kafka-acls.sh
> >> > > > > > > > > > > > > > > >> > for now. But we thought that it would
> be
> >> a
> >> > > good
> >> > > > > > > > > improvement
> >> > > > > > > > > > to
> >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > tool
> >> > > > > > > > > > > > > > > >> and
> >> > > > > > > > > > > > > > > >> > it makes it more flexible and usable.
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> > Let us know your thoughts, if you would
> >> like
> >> > > us
> >> > > > to
> >> > > > > > > make
> >> > > > > > > > > > > > > > kafka-acls.sh
> >> > > > > > > > > > > > > > > >> more
> >> > > > > > > > > > > > > > > >> > flexible and usable and not limited to
> >> > > > Authorizer
> >> > > > > > > coming
> >> > > > > > > > > out
> >> > > > > > > > > > > of
> >> > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > box.
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> > Thanks,
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> > Mayuresh
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> > On Thu, Feb 16, 2017 at 10:18 PM,
> >> Manikumar
> >> > <
> >> > > > > > > > > > > > > > > manikumar.re...@gmail.com>
> >> > > > > > > > > > > > > > > >> > wrote:
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> > > Hi Jun,
> >> > > > > > > > > > > > > > > >> > >
> >> > > > > > > > > > > > > > > >> > > yes, we can just customize rules to
> >> send
> >> > > full
> >> > > > > > > > principal
> >> > > > > > > > > > > > name.  I
> >> > > > > > > > > > > > > > was
> >> > > > > > > > > > > > > > > >> > > just thinking to
> >> > > > > > > > > > > > > > > >> > > use PrinciplaBuilder interface for
> >> > > > implementing
> >> > > > > > SASL
> >> > > > > > > > > rules
> >> > > > > > > > > > > > also.
> >> > > > > > > > > > > > > > So
> >> > > > > > > > > > > > > > > >> that
> >> > > > > > > > > > > > > > > >> > > the interface
> >> > > > > > > > > > > > > > > >> > > will be consistent across protocols.
> >> > > > > > > > > > > > > > > >> > >
> >> > > > > > > > > > > > > > > >> > > Thanks
> >> > > > > > > > > > > > > > > >> > >
> >> > > > > > > > > > > > > > > >> > > On Fri, Feb 17, 2017 at 1:07 AM, Jun
> >> Rao <
> >> > > > > > > > > > j...@confluent.io>
> >> > > > > > > > > > > > > > wrote:
> >> > > > > > > > > > > > > > > >> > >
> >> > > > > > > > > > > > > > > >> > > > Hi, Radai, Mayuresh,
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > > Thanks for the explanation. Good
> >> point
> >> > on
> >> > > a
> >> > > > > > > > pluggable
> >> > > > > > > > > > > > > authorizer
> >> > > > > > > > > > > > > > > can
> >> > > > > > > > > > > > > > > >> > > > customize how acls are added.
> >> However,
> >> > > > > earlier,
> >> > > > > > > > > Mayuresh
> >> > > > > > > > > > > was
> >> > > > > > > > > > > > > > > saying
> >> > > > > > > > > > > > > > > >> > that
> >> > > > > > > > > > > > > > > >> > > in
> >> > > > > > > > > > > > > > > >> > > > LinkedIn's customized authorizer,
> >> it's
> >> > not
> >> > > > > > > possible
> >> > > > > > > > to
> >> > > > > > > > > > > > create
> >> > > > > > > > > > > > > a
> >> > > > > > > > > > > > > > > >> > principal
> >> > > > > > > > > > > > > > > >> > > > from string. If that's the case,
> will
> >> > > adding
> >> > > > > the
> >> > > > > > > > > > principal
> >> > > > > > > > > > > > > > builder
> >> > > > > > > > > > > > > > > >> in
> >> > > > > > > > > > > > > > > >> > > > kafka-acl.sh help? If the principal
> >> can
> >> > be
> >> > > > > > > > constructed
> >> > > > > > > > > > > from
> >> > > > > > > > > > > > a
> >> > > > > > > > > > > > > > > >> string,
> >> > > > > > > > > > > > > > > >> > > > wouldn't it be simpler to just let
> >> > > > > kafka-acl.sh
> >> > > > > > do
> >> > > > > > > > > > > > > authorization
> >> > > > > > > > > > > > > > > >> based
> >> > > > > > > > > > > > > > > >> > on
> >> > > > > > > > > > > > > > > >> > > > that string name and not be aware
> of
> >> the
> >> > > > > > principal
> >> > > > > > > > > > > builder?
> >> > > > > > > > > > > > If
> >> > > > > > > > > > > > > > you
> >> > > > > > > > > > > > > > > >> > still
> >> > > > > > > > > > > > > > > >> > > > think there is a need, perhaps you
> >> can
> >> > > add a
> >> > > > > > more
> >> > > > > > > > > > concrete
> >> > > > > > > > > > > > use
> >> > > > > > > > > > > > > > > case
> >> > > > > > > > > > > > > > > >> > that
> >> > > > > > > > > > > > > > > >> > > > can't be done otherwise?
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > > Hi, Mani,
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > > For SASL, if the authorizer needs
> the
> >> > full
> >> > > > > > > kerberos
> >> > > > > > > > > > > > principal
> >> > > > > > > > > > > > > > > name,
> >> > > > > > > > > > > > > > > >> > > > currently, the user can just
> >> customize "
> >> > > > > > > > > > > > > > > sasl.kerberos.principal.to.
> >> > > > > > > > > > > > > > > >> > > > local.rules"
> >> > > > > > > > > > > > > > > >> > > > to return the full principal name
> as
> >> the
> >> > > > name
> >> > > > > > for
> >> > > > > > > > > > > > > authorization,
> >> > > > > > > > > > > > > > > >> right?
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > > Jun
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > > On Wed, Feb 15, 2017 at 10:25 AM,
> >> > Mayuresh
> >> > > > > > Gharat
> >> > > > > > > <
> >> > > > > > > > > > > > > > > >> > > > gharatmayures...@gmail.com> wrote:
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > > > @Jun thanks for the
> comments.Please
> >> > see
> >> > > > the
> >> > > > > > > > replies
> >> > > > > > > > > > > > inline.
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > Currently kafka-acl.sh just
> >> creates an
> >> > > ACL
> >> > > > > > path
> >> > > > > > > in
> >> > > > > > > > > ZK
> >> > > > > > > > > > > with
> >> > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > principal
> >> > > > > > > > > > > > > > > >> > > > > name string.
> >> > > > > > > > > > > > > > > >> > > > > ----> Yes, the kafka-acl.sh calls
> >> the
> >> > > > > addAcl()
> >> > > > > > > on
> >> > > > > > > > > the
> >> > > > > > > > > > > > > inbuilt
> >> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer which in turn
> >> > > creates
> >> > > > an
> >> > > > > > ACL
> >> > > > > > > > in
> >> > > > > > > > > ZK
> >> > > > > > > > > > > > with
> >> > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > Principal
> >> > > > > > > > > > > > > > > >> > > > > name string. This is because we
> >> supply
> >> > > the
> >> > > > > > > > > > > > > SimpleAclAuthorizer
> >> > > > > > > > > > > > > > > as
> >> > > > > > > > > > > > > > > >> a
> >> > > > > > > > > > > > > > > >> > > > > commandline argument in the
> >> > > Kafka-acls.sh
> >> > > > > > > command.
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > The authorizer module in the
> broker
> >> > > reads
> >> > > > > the
> >> > > > > > > > > > principal
> >> > > > > > > > > > > > name
> >> > > > > > > > > > > > > > > >> > > > > string from the acl path in ZK
> and
> >> > > creates
> >> > > > > the
> >> > > > > > > > > > expected
> >> > > > > > > > > > > > > > > >> > KafkaPrincipal
> >> > > > > > > > > > > > > > > >> > > > for
> >> > > > > > > > > > > > > > > >> > > > > matching. As you can see, the
> >> expected
> >> > > > > > principal
> >> > > > > > > > is
> >> > > > > > > > > > > > created
> >> > > > > > > > > > > > > on
> >> > > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > broker
> >> > > > > > > > > > > > > > > >> > > > > side, not by the kafka-acl.sh
> tool.
> >> > > > > > > > > > > > > > > >> > > > > ----> This is considering the
> fact
> >> > that
> >> > > > the
> >> > > > > > user
> >> > > > > > > > is
> >> > > > > > > > > > > using
> >> > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer on the broker
> >> side
> >> > > and
> >> > > > > not
> >> > > > > > > his
> >> > > > > > > > > own
> >> > > > > > > > > > > > > custom
> >> > > > > > > > > > > > > > > >> > > Authorizer.
> >> > > > > > > > > > > > > > > >> > > > > The SimpleAclAuthorizer will take
> >> the
> >> > > > > > Principal
> >> > > > > > > it
> >> > > > > > > > > > gets
> >> > > > > > > > > > > > from
> >> > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > Session
> >> > > > > > > > > > > > > > > >> > > > > class . Currently the Principal
> is
> >> > > > > > > KafkaPrincipal.
> >> > > > > > > > > > This
> >> > > > > > > > > > > > > > > >> > KafkaPrincipal
> >> > > > > > > > > > > > > > > >> > > is
> >> > > > > > > > > > > > > > > >> > > > > generated from the name of the
> >> actual
> >> > > > > channel
> >> > > > > > > > > > Principal,
> >> > > > > > > > > > > > in
> >> > > > > > > > > > > > > > > >> > > SocketServer
> >> > > > > > > > > > > > > > > >> > > > > class when processing completed
> >> > > receives.
> >> > > > > > > > > > > > > > > >> > > > > With this KIP, this will no
> longer
> >> be
> >> > > the
> >> > > > > case
> >> > > > > > > as
> >> > > > > > > > > the
> >> > > > > > > > > > > > > Session
> >> > > > > > > > > > > > > > > >> class
> >> > > > > > > > > > > > > > > >> > > will
> >> > > > > > > > > > > > > > > >> > > > > store a java.security.Principal
> >> > instead
> >> > > of
> >> > > > > > > > specific
> >> > > > > > > > > > > > > > > >> KafkaPrincipal.
> >> > > > > > > > > > > > > > > >> > So
> >> > > > > > > > > > > > > > > >> > > > the
> >> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer will
> construct
> >> the
> >> > > > > > > > > KafkaPrincipal
> >> > > > > > > > > > > from
> >> > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > channel
> >> > > > > > > > > > > > > > > >> > > > > Principal it gets from the
> Session
> >> > > class.
> >> > > > > > > > > > > > > > > >> > > > > User might not want to use the
> >> > > > > > > SimpleAclAuthorizer
> >> > > > > > > > > but
> >> > > > > > > > > > > use
> >> > > > > > > > > > > > > > > his/her
> >> > > > > > > > > > > > > > > >> > own
> >> > > > > > > > > > > > > > > >> > > > > custom Authorizer.
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > The broker already has the
> ability
> >> to
> >> > > > > > > > > > > > > > > >> > > > > configure PrincipalBuilder.
> That's
> >> > why I
> >> > > > am
> >> > > > > > not
> >> > > > > > > > sure
> >> > > > > > > > > > if
> >> > > > > > > > > > > > > there
> >> > > > > > > > > > > > > > > is a
> >> > > > > > > > > > > > > > > >> > need
> >> > > > > > > > > > > > > > > >> > > > for
> >> > > > > > > > > > > > > > > >> > > > > kafka-acl.sh to customize
> >> > > > PrincipalBuilder.
> >> > > > > > > > > > > > > > > >> > > > > ----> This is exactly the reason
> >> why
> >> > we
> >> > > > want
> >> > > > > > to
> >> > > > > > > > > > propose
> >> > > > > > > > > > > a
> >> > > > > > > > > > > > > > > >> > > > PrincipalBuilder
> >> > > > > > > > > > > > > > > >> > > > > in kafka-acls.sh so that the
> >> Principal
> >> > > > > > generated
> >> > > > > > > > by
> >> > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > PrincipalBuilder
> >> > > > > > > > > > > > > > > >> > > > on
> >> > > > > > > > > > > > > > > >> > > > > broker is consistent with that
> >> > generated
> >> > > > > while
> >> > > > > > > > > > creating
> >> > > > > > > > > > > > ACLs
> >> > > > > > > > > > > > > > > using
> >> > > > > > > > > > > > > > > >> > the
> >> > > > > > > > > > > > > > > >> > > > > kafka-acls.sh command line tool.
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > *To summarize the above
> >> discussions :*
> >> > > > > > > > > > > > > > > >> > > > > What if we only make the
> following
> >> > > > changes:
> >> > > > > > pass
> >> > > > > > > > the
> >> > > > > > > > > > > java
> >> > > > > > > > > > > > > > > >> principal
> >> > > > > > > > > > > > > > > >> > in
> >> > > > > > > > > > > > > > > >> > > > > session and in
> >> > > > > > > > > > > > > > > >> > > > > SimpleAuthorizer, construct
> >> > > KafkaPrincipal
> >> > > > > > from
> >> > > > > > > > java
> >> > > > > > > > > > > > > principal
> >> > > > > > > > > > > > > > > >> name.
> >> > > > > > > > > > > > > > > >> > > Will
> >> > > > > > > > > > > > > > > >> > > > > that work for LinkedIn?
> >> > > > > > > > > > > > > > > >> > > > > ------> Yes, this works for
> >> Linkedin
> >> > as
> >> > > we
> >> > > > > are
> >> > > > > > > not
> >> > > > > > > > > > using
> >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > kafka-acls.sh
> >> > > > > > > > > > > > > > > >> > > > > tool to create/update/add ACLs,
> for
> >> > now.
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > Do you think there is a use case
> >> for a
> >> > > > > > > customized
> >> > > > > > > > > > > > authorizer
> >> > > > > > > > > > > > > > and
> >> > > > > > > > > > > > > > > >> > > > kafka-acl
> >> > > > > > > > > > > > > > > >> > > > > at the
> >> > > > > > > > > > > > > > > >> > > > > same time? If not, it's better
> not
> >> to
> >> > > > > > complicate
> >> > > > > > > > the
> >> > > > > > > > > > > > > kafka-acl
> >> > > > > > > > > > > > > > > >> api.
> >> > > > > > > > > > > > > > > >> > > > > -----> At Linkedin, we don't use
> >> this
> >> > > tool
> >> > > > > for
> >> > > > > > > > now.
> >> > > > > > > > > So
> >> > > > > > > > > > > we
> >> > > > > > > > > > > > > are
> >> > > > > > > > > > > > > > > fine
> >> > > > > > > > > > > > > > > >> > with
> >> > > > > > > > > > > > > > > >> > > > the
> >> > > > > > > > > > > > > > > >> > > > > minimal change for now.
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > Initially, our change was
> minimal,
> >> > just
> >> > > > > > getting
> >> > > > > > > > the
> >> > > > > > > > > > > Kafka
> >> > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> preserve
> >> > > > > > > > > > > > > > > >> > > the
> >> > > > > > > > > > > > > > > >> > > > > channel principal. Since there
> was
> >> a
> >> > > > > > discussion
> >> > > > > > > > how
> >> > > > > > > > > > > > > > > kafka-acls.sh
> >> > > > > > > > > > > > > > > >> > would
> >> > > > > > > > > > > > > > > >> > > > > work with this change, on the
> >> ticket,
> >> > we
> >> > > > > > > designed
> >> > > > > > > > a
> >> > > > > > > > > > > > detailed
> >> > > > > > > > > > > > > > > >> solution
> >> > > > > > > > > > > > > > > >> > > to
> >> > > > > > > > > > > > > > > >> > > > > make this tool generally usable
> >> with
> >> > all
> >> > > > > sorts
> >> > > > > > > of
> >> > > > > > > > > > > > > combinations
> >> > > > > > > > > > > > > > > of
> >> > > > > > > > > > > > > > > >> > > > > Authorizers and PrincipalBuilders
> >> and
> >> > > give
> >> > > > > > more
> >> > > > > > > > > > > > flexibility
> >> > > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > end
> >> > > > > > > > > > > > > > > >> > > > > users.
> >> > > > > > > > > > > > > > > >> > > > > Without the changes proposed for
> >> > > > > kafka-acls.sh
> >> > > > > > > in
> >> > > > > > > > > this
> >> > > > > > > > > > > > KIP,
> >> > > > > > > > > > > > > it
> >> > > > > > > > > > > > > > > >> cannot
> >> > > > > > > > > > > > > > > >> > > be
> >> > > > > > > > > > > > > > > >> > > > > used with a custom
> >> > > > > Authorizer/PrinipalBuilder
> >> > > > > > > but
> >> > > > > > > > > will
> >> > > > > > > > > > > > only
> >> > > > > > > > > > > > > > work
> >> > > > > > > > > > > > > > > >> with
> >> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer.
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > Although, I would actually like
> it
> >> to
> >> > > work
> >> > > > > for
> >> > > > > > > > > general
> >> > > > > > > > > > > > > > scenario,
> >> > > > > > > > > > > > > > > >> I am
> >> > > > > > > > > > > > > > > >> > > > fine
> >> > > > > > > > > > > > > > > >> > > > > with separating it under a
> separate
> >> > KIP
> >> > > > and
> >> > > > > > > limit
> >> > > > > > > > > the
> >> > > > > > > > > > > > scope
> >> > > > > > > > > > > > > of
> >> > > > > > > > > > > > > > > >> this
> >> > > > > > > > > > > > > > > >> > > KIP.
> >> > > > > > > > > > > > > > > >> > > > > I will update the KIP accordingly
> >> and
> >> > > put
> >> > > > > this
> >> > > > > > > > under
> >> > > > > > > > > > > > > rejected
> >> > > > > > > > > > > > > > > >> > > > alternatives
> >> > > > > > > > > > > > > > > >> > > > > and create a new KIP for the
> >> > > Kafka-acls.sh
> >> > > > > > > > changes.
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > @Manikumar
> >> > > > > > > > > > > > > > > >> > > > > Since we are limiting the scope
> of
> >> > this
> >> > > > KIP
> >> > > > > by
> >> > > > > > > not
> >> > > > > > > > > > > making
> >> > > > > > > > > > > > > any
> >> > > > > > > > > > > > > > > >> changes
> >> > > > > > > > > > > > > > > >> > > to
> >> > > > > > > > > > > > > > > >> > > > > kafka-acls.sh, I will cover your
> >> > concern
> >> > > > in
> >> > > > > a
> >> > > > > > > > > separate
> >> > > > > > > > > > > KIP
> >> > > > > > > > > > > > > > that
> >> > > > > > > > > > > > > > > I
> >> > > > > > > > > > > > > > > >> > will
> >> > > > > > > > > > > > > > > >> > > > put
> >> > > > > > > > > > > > > > > >> > > > > up for kafka-acls.sh. Does that
> >> work?
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > Mayuresh
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > On Wed, Feb 15, 2017 at 9:18 AM,
> >> > radai <
> >> > > > > > > > > > > > > > > >> radai.rosenbl...@gmail.com>
> >> > > > > > > > > > > > > > > >> > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > > @jun:
> >> > > > > > > > > > > > > > > >> > > > > > "Currently kafka-acl.sh just
> >> creates
> >> > > an
> >> > > > > ACL
> >> > > > > > > path
> >> > > > > > > > > in
> >> > > > > > > > > > ZK
> >> > > > > > > > > > > > > with
> >> > > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > principal
> >> > > > > > > > > > > > > > > >> > > > > > name string" - yes, but not
> >> > directly.
> >> > > > all
> >> > > > > it
> >> > > > > > > > > > actually
> >> > > > > > > > > > > > does
> >> > > > > > > > > > > > > > it
> >> > > > > > > > > > > > > > > >> > spin-up
> >> > > > > > > > > > > > > > > >> > > > the
> >> > > > > > > > > > > > > > > >> > > > > > Authorizer and call
> >> > > Authorizer.addAcl()
> >> > > > on
> >> > > > > > it.
> >> > > > > > > > > > > > > > > >> > > > > > the vanilla Authorizer goes to
> >> ZK.
> >> > > > > > > > > > > > > > > >> > > > > > but generally speaking, users
> can
> >> > plug
> >> > > > in
> >> > > > > > > their
> >> > > > > > > > > own
> >> > > > > > > > > > > > > > > Authorizers
> >> > > > > > > > > > > > > > > >> > (that
> >> > > > > > > > > > > > > > > >> > > > can
> >> > > > > > > > > > > > > > > >> > > > > > store/load ACLs to/from
> >> wherever).
> >> > > > > > > > > > > > > > > >> > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > it would be nice if users who
> >> > > customize
> >> > > > > > > > > Authorizers
> >> > > > > > > > > > > (and
> >> > > > > > > > > > > > > > > >> > > > > PrincipalBuilders)
> >> > > > > > > > > > > > > > > >> > > > > > did not immediately lose the
> >> ability
> >> > > to
> >> > > > > use
> >> > > > > > > > > > > kafka-acl.sh
> >> > > > > > > > > > > > > > with
> >> > > > > > > > > > > > > > > >> their
> >> > > > > > > > > > > > > > > >> > > new
> >> > > > > > > > > > > > > > > >> > > > > > Authorizers.
> >> > > > > > > > > > > > > > > >> > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > On Wed, Feb 15, 2017 at 5:50
> AM,
> >> > > > > Manikumar <
> >> > > > > > > > > > > > > > > >> > > manikumar.re...@gmail.com>
> >> > > > > > > > > > > > > > > >> > > > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > Sorry, I am late to this
> >> > discussion.
> >> > > > > > > > > > > > > > > >> > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > PrincipalBuilder is only used
> >> for
> >> > > SSL
> >> > > > > > > > Protocol.
> >> > > > > > > > > > > > > > > >> > > > > > > For SASL, we use "
> >> > > > > > > sasl.kerberos.principal.to.
> >> > > > > > > > > > > > > local.rules"
> >> > > > > > > > > > > > > > > >> config
> >> > > > > > > > > > > > > > > >> > > to
> >> > > > > > > > > > > > > > > >> > > > > map
> >> > > > > > > > > > > > > > > >> > > > > > > SASL principal names to short
> >> > names.
> >> > > > To
> >> > > > > > make
> >> > > > > > > > it
> >> > > > > > > > > > > > > > consistent,
> >> > > > > > > > > > > > > > > >> > > > > > > Do we also need to pass the
> >> SASL
> >> > > full
> >> > > > > > > > principal
> >> > > > > > > > > > name
> >> > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> > authorizer
> >> > > > > > > > > > > > > > > >> > > ?
> >> > > > > > > > > > > > > > > >> > > > > > > We may need to use
> >> > PrincipalBuilder
> >> > > > for
> >> > > > > > > > mapping
> >> > > > > > > > > > SASL
> >> > > > > > > > > > > > > > names.
> >> > > > > > > > > > > > > > > >> > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > Related JIRA is here:
> >> > > > > > > > > > > > > > > >> > > > > > > https://issues.apache.org/
> >> > > > > > > > > jira/browse/KAFKA-2854
> >> > > > > > > > > > > > > > > >> > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > On Wed, Feb 15, 2017 at 7:47
> >> AM,
> >> > Jun
> >> > > > > Rao <
> >> > > > > > > > > > > > > > j...@confluent.io>
> >> > > > > > > > > > > > > > > >> > wrote:
> >> > > > > > > > > > > > > > > >> > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > Hi, Radai,
> >> > > > > > > > > > > > > > > >> > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > Currently kafka-acl.sh just
> >> > > creates
> >> > > > an
> >> > > > > > ACL
> >> > > > > > > > > path
> >> > > > > > > > > > in
> >> > > > > > > > > > > > ZK
> >> > > > > > > > > > > > > > with
> >> > > > > > > > > > > > > > > >> the
> >> > > > > > > > > > > > > > > >> > > > > > principal
> >> > > > > > > > > > > > > > > >> > > > > > > > name string. The authorizer
> >> > module
> >> > > > in
> >> > > > > > the
> >> > > > > > > > > broker
> >> > > > > > > > > > > > reads
> >> > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > principal
> >> > > > > > > > > > > > > > > >> > > > > > name
> >> > > > > > > > > > > > > > > >> > > > > > > > string from the acl path in
> >> ZK
> >> > and
> >> > > > > > creates
> >> > > > > > > > the
> >> > > > > > > > > > > > > expected
> >> > > > > > > > > > > > > > > >> > > > > KafkaPrincipal
> >> > > > > > > > > > > > > > > >> > > > > > > for
> >> > > > > > > > > > > > > > > >> > > > > > > > matching. As you can see,
> the
> >> > > > expected
> >> > > > > > > > > principal
> >> > > > > > > > > > > is
> >> > > > > > > > > > > > > > > created
> >> > > > > > > > > > > > > > > >> on
> >> > > > > > > > > > > > > > > >> > > the
> >> > > > > > > > > > > > > > > >> > > > > > broker
> >> > > > > > > > > > > > > > > >> > > > > > > > side, not by the
> kafka-acl.sh
> >> > > tool.
> >> > > > > The
> >> > > > > > > > broker
> >> > > > > > > > > > > > already
> >> > > > > > > > > > > > > > has
> >> > > > > > > > > > > > > > > >> the
> >> > > > > > > > > > > > > > > >> > > > > ability
> >> > > > > > > > > > > > > > > >> > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > configure PrincipalBuilder.
> >> > That's
> >> > > > > why I
> >> > > > > > > am
> >> > > > > > > > > not
> >> > > > > > > > > > > sure
> >> > > > > > > > > > > > > if
> >> > > > > > > > > > > > > > > >> there
> >> > > > > > > > > > > > > > > >> > is
> >> > > > > > > > > > > > > > > >> > > a
> >> > > > > > > > > > > > > > > >> > > > > need
> >> > > > > > > > > > > > > > > >> > > > > > > for
> >> > > > > > > > > > > > > > > >> > > > > > > > kafka-acl.sh to customize
> >> > > > > > > PrincipalBuilder.
> >> > > > > > > > > > > > > > > >> > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > Jun
> >> > > > > > > > > > > > > > > >> > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > On Mon, Feb 13, 2017 at
> 7:01
> >> PM,
> >> > > > > radai <
> >> > > > > > > > > > > > > > > >> > > radai.rosenbl...@gmail.com
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > if i understand
> correctly,
> >> > > > > > kafka-acls.sh
> >> > > > > > > > > spins
> >> > > > > > > > > > > up
> >> > > > > > > > > > > > an
> >> > > > > > > > > > > > > > > >> instance
> >> > > > > > > > > > > > > > > >> > > of
> >> > > > > > > > > > > > > > > >> > > > > (the
> >> > > > > > > > > > > > > > > >> > > > > > > > > custom, in our case)
> >> > Authorizer,
> >> > > > and
> >> > > > > > > calls
> >> > > > > > > > > > > things
> >> > > > > > > > > > > > > like
> >> > > > > > > > > > > > > > > >> > > > > addAcls(acls:
> >> > > > > > > > > > > > > > > >> > > > > > > > > Set[Acl], resource:
> >> Resource)
> >> > on
> >> > > > it,
> >> > > > > > > which
> >> > > > > > > > > are
> >> > > > > > > > > > > > > defined
> >> > > > > > > > > > > > > > > in
> >> > > > > > > > > > > > > > > >> the
> >> > > > > > > > > > > > > > > >> > > > > > > interface,
> >> > > > > > > > > > > > > > > >> > > > > > > > > hence expected to be
> >> > > "extensible".
> >> > > > > > > > > > > > > > > >> > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > (side note: if Authorizer
> >> and
> >> > > > > > > > > PrincipalBuilder
> >> > > > > > > > > > > are
> >> > > > > > > > > > > > > > > >> defined as
> >> > > > > > > > > > > > > > > >> > > > > > > extensible
> >> > > > > > > > > > > > > > > >> > > > > > > > > interfaces, why doesnt
> >> class
> >> > > Acl,
> >> > > > > > which
> >> > > > > > > is
> >> > > > > > > > > in
> >> > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> signature
> >> > > > > > > > > > > > > > > >> > for
> >> > > > > > > > > > > > > > > >> > > > > > > > Authorizer
> >> > > > > > > > > > > > > > > >> > > > > > > > > calls, use
> >> > > > java.security.Principal?)
> >> > > > > > > > > > > > > > > >> > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > we would like to be able
> to
> >> > use
> >> > > > the
> >> > > > > > > > standard
> >> > > > > > > > > > > > > kafka-acl
> >> > > > > > > > > > > > > > > >> > command
> >> > > > > > > > > > > > > > > >> > > > line
> >> > > > > > > > > > > > > > > >> > > > > > for
> >> > > > > > > > > > > > > > > >> > > > > > > > > defining ACLs even when
> >> > > replacing
> >> > > > > the
> >> > > > > > > > > vanilla
> >> > > > > > > > > > > > > > Authorizer
> >> > > > > > > > > > > > > > > >> and
> >> > > > > > > > > > > > > > > >> > > > > > > > > PrincipalBuilder (even
> >> though
> >> > we
> >> > > > > have
> >> > > > > > a
> >> > > > > > > > > > > management
> >> > > > > > > > > > > > > UI
> >> > > > > > > > > > > > > > > for
> >> > > > > > > > > > > > > > > >> > these
> >> > > > > > > > > > > > > > > >> > > > > > > > operations
> >> > > > > > > > > > > > > > > >> > > > > > > > > within linkedin) - simply
> >> > > because
> >> > > > > > thats
> >> > > > > > > > the
> >> > > > > > > > > > > > correct
> >> > > > > > > > > > > > > > > thing
> >> > > > > > > > > > > > > > > >> to
> >> > > > > > > > > > > > > > > >> > do
> >> > > > > > > > > > > > > > > >> > > > > from
> >> > > > > > > > > > > > > > > >> > > > > > an
> >> > > > > > > > > > > > > > > >> > > > > > > > > extensibility point of
> >> view.
> >> > > > > > > > > > > > > > > >> > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > On Mon, Feb 13, 2017 at
> >> 1:39
> >> > PM,
> >> > > > Jun
> >> > > > > > > Rao <
> >> > > > > > > > > > > > > > > >> j...@confluent.io>
> >> > > > > > > > > > > > > > > >> > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > Hi, Mayuresh,
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > I seems to me that
> there
> >> are
> >> > > two
> >> > > > > > > common
> >> > > > > > > > > use
> >> > > > > > > > > > > > cases
> >> > > > > > > > > > > > > of
> >> > > > > > > > > > > > > > > >> > > > authorizer.
> >> > > > > > > > > > > > > > > >> > > > > > (1)
> >> > > > > > > > > > > > > > > >> > > > > > > > Use
> >> > > > > > > > > > > > > > > >> > > > > > > > > > the default
> >> SimpleAuthorizer
> >> > > and
> >> > > > > the
> >> > > > > > > > > > kafka-acl
> >> > > > > > > > > > > > to
> >> > > > > > > > > > > > > do
> >> > > > > > > > > > > > > > > >> > > > > authorization.
> >> > > > > > > > > > > > > > > >> > > > > > > (2)
> >> > > > > > > > > > > > > > > >> > > > > > > > > Use
> >> > > > > > > > > > > > > > > >> > > > > > > > > > a customized authorizer
> >> and
> >> > an
> >> > > > > > > external
> >> > > > > > > > > tool
> >> > > > > > > > > > > for
> >> > > > > > > > > > > > > > > >> > > authorization.
> >> > > > > > > > > > > > > > > >> > > > > Do
> >> > > > > > > > > > > > > > > >> > > > > > > you
> >> > > > > > > > > > > > > > > >> > > > > > > > > > think there is a use
> case
> >> > for
> >> > > a
> >> > > > > > > > customized
> >> > > > > > > > > > > > > > authorizer
> >> > > > > > > > > > > > > > > >> and
> >> > > > > > > > > > > > > > > >> > > > > kafka-acl
> >> > > > > > > > > > > > > > > >> > > > > > > at
> >> > > > > > > > > > > > > > > >> > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > same time? If not, it's
> >> > better
> >> > > > not
> >> > > > > > to
> >> > > > > > > > > > > complicate
> >> > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > kafka-acl
> >> > > > > > > > > > > > > > > >> > > > > api.
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > Jun
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > On Mon, Feb 13, 2017 at
> >> > 10:35
> >> > > > AM,
> >> > > > > > > > Mayuresh
> >> > > > > > > > > > > > Gharat
> >> > > > > > > > > > > > > <
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> gharatmayures...@gmail.com>
> >> > > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Hi Jun,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Thanks for the review
> >> and
> >> > > > > > comments.
> >> > > > > > > > > Please
> >> > > > > > > > > > > > find
> >> > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > replies
> >> > > > > > > > > > > > > > > >> > > > > > inline
> >> > > > > > > > > > > > > > > >> > > > > > > :
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > This is so that in
> the
> >> > > future,
> >> > > > > we
> >> > > > > > > can
> >> > > > > > > > > > extend
> >> > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > types
> >> > > > > > > > > > > > > > > >> > like
> >> > > > > > > > > > > > > > > >> > > > > group.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > ---> Yep, I did think
> >> the
> >> > > > same.
> >> > > > > > But
> >> > > > > > > > > since
> >> > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > SocketServer
> >> > > > > > > > > > > > > > > >> > > > was
> >> > > > > > > > > > > > > > > >> > > > > > > always
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > creating User type,
> it
> >> > > wasn't
> >> > > > > > > actually
> >> > > > > > > > > > used.
> >> > > > > > > > > > > > If
> >> > > > > > > > > > > > > we
> >> > > > > > > > > > > > > > > go
> >> > > > > > > > > > > > > > > >> > ahead
> >> > > > > > > > > > > > > > > >> > > > > with
> >> > > > > > > > > > > > > > > >> > > > > > > > > changes
> >> > > > > > > > > > > > > > > >> > > > > > > > > > in
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > this KIP, we will
> give
> >> > this
> >> > > > > power
> >> > > > > > of
> >> > > > > > > > > > > creating
> >> > > > > > > > > > > > > > > >> different
> >> > > > > > > > > > > > > > > >> > > > > Principal
> >> > > > > > > > > > > > > > > >> > > > > > > > types
> >> > > > > > > > > > > > > > > >> > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > the PrincipalBuilder
> >> > (which
> >> > > > > users
> >> > > > > > > can
> >> > > > > > > > > > define
> >> > > > > > > > > > > > > there
> >> > > > > > > > > > > > > > > >> own).
> >> > > > > > > > > > > > > > > >> > In
> >> > > > > > > > > > > > > > > >> > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > way
> >> > > > > > > > > > > > > > > >> > > > > > > > > > Kafka
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > will not have to deal
> >> with
> >> > > > > > handling
> >> > > > > > > > > this.
> >> > > > > > > > > > So
> >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > Principal
> >> > > > > > > > > > > > > > > >> > > > > > building
> >> > > > > > > > > > > > > > > >> > > > > > > > and
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Authorization will be
> >> > opaque
> >> > > > to
> >> > > > > > > Kafka
> >> > > > > > > > > > which
> >> > > > > > > > > > > > > seems
> >> > > > > > > > > > > > > > > >> like an
> >> > > > > > > > > > > > > > > >> > > > > > expected
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > behavior.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Hmm, normally, the
> >> > > > > configurations
> >> > > > > > > you
> >> > > > > > > > > > > specify
> >> > > > > > > > > > > > > for
> >> > > > > > > > > > > > > > > >> > plug-ins
> >> > > > > > > > > > > > > > > >> > > > > refer
> >> > > > > > > > > > > > > > > >> > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > those
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > needed to construct
> the
> >> > > > plug-in
> >> > > > > > > > object.
> >> > > > > > > > > > So,
> >> > > > > > > > > > > > it's
> >> > > > > > > > > > > > > > > kind
> >> > > > > > > > > > > > > > > >> of
> >> > > > > > > > > > > > > > > >> > > > weird
> >> > > > > > > > > > > > > > > >> > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > use
> >> > > > > > > > > > > > > > > >> > > > > > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > to call a method. For
> >> > > example,
> >> > > > > why
> >> > > > > > > > can't
> >> > > > > > > > > > > > > > > >> > > > > > > >
> principalBuilderService.rest.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > url
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > be passed in through
> >> the
> >> > > > > > configure()
> >> > > > > > > > > > method
> >> > > > > > > > > > > > and
> >> > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > implementation
> >> > > > > > > > > > > > > > > >> > > > > > > > can
> >> > > > > > > > > > > > > > > >> > > > > > > > > > use
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > that to build
> >> principal.
> >> > > This
> >> > > > > way,
> >> > > > > > > > there
> >> > > > > > > > > > is
> >> > > > > > > > > > > > > only a
> >> > > > > > > > > > > > > > > >> single
> >> > > > > > > > > > > > > > > >> > > > > method
> >> > > > > > > > > > > > > > > >> > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > > compute
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > the principal in a
> >> > > consistent
> >> > > > > way
> >> > > > > > in
> >> > > > > > > > the
> >> > > > > > > > > > > > broker
> >> > > > > > > > > > > > > > and
> >> > > > > > > > > > > > > > > in
> >> > > > > > > > > > > > > > > >> > the
> >> > > > > > > > > > > > > > > >> > > > > > > kafka-acl
> >> > > > > > > > > > > > > > > >> > > > > > > > > > tool.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> We can do that
> as
> >> > > well.
> >> > > > > But
> >> > > > > > > > since
> >> > > > > > > > > > the
> >> > > > > > > > > > > > rest
> >> > > > > > > > > > > > > > url
> >> > > > > > > > > > > > > > > >> is
> >> > > > > > > > > > > > > > > >> > not
> >> > > > > > > > > > > > > > > >> > > > > > related
> >> > > > > > > > > > > > > > > >> > > > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Principal, it seems
> >> out of
> >> > > > place
> >> > > > > > to
> >> > > > > > > me
> >> > > > > > > > > to
> >> > > > > > > > > > > pass
> >> > > > > > > > > > > > > it
> >> > > > > > > > > > > > > > > >> every
> >> > > > > > > > > > > > > > > >> > > time
> >> > > > > > > > > > > > > > > >> > > > we
> >> > > > > > > > > > > > > > > >> > > > > > > have
> >> > > > > > > > > > > > > > > >> > > > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > create a Principal. I
> >> > should
> >> > > > > > replace
> >> > > > > > > > > > > > > > > >> "principalConfigs"
> >> > > > > > > > > > > > > > > >> > > with
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> "principalProperties".
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > I was trying to
> >> > > differentiate
> >> > > > > the
> >> > > > > > > > > > > > > > configs/properties
> >> > > > > > > > > > > > > > > >> that
> >> > > > > > > > > > > > > > > >> > > are
> >> > > > > > > > > > > > > > > >> > > > > > used
> >> > > > > > > > > > > > > > > >> > > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > create the
> >> > PrincipalBuilder
> >> > > > > class
> >> > > > > > > and
> >> > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > Principal/Principals
> >> > > > > > > > > > > > > > > >> > > > > > > > itself.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > For LinkedIn's use
> >> case,
> >> > do
> >> > > > you
> >> > > > > > > > actually
> >> > > > > > > > > > use
> >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > kafka-acl
> >> > > > > > > > > > > > > > > >> > > > > tool?
> >> > > > > > > > > > > > > > > >> > > > > > My
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > understanding is that
> >> > > LinkedIn
> >> > > > > > does
> >> > > > > > > > > > > > > authorization
> >> > > > > > > > > > > > > > > >> through
> >> > > > > > > > > > > > > > > >> > > an
> >> > > > > > > > > > > > > > > >> > > > > > > external
> >> > > > > > > > > > > > > > > >> > > > > > > > > > tool.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> For Linkedin's
> >> use
> >> > > case
> >> > > > we
> >> > > > > > > don't
> >> > > > > > > > > > > > actually
> >> > > > > > > > > > > > > > use
> >> > > > > > > > > > > > > > > >> the
> >> > > > > > > > > > > > > > > >> > > > > kafka-acl
> >> > > > > > > > > > > > > > > >> > > > > > > > tool
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > right now. As per the
> >> > > > discussion
> >> > > > > > > that
> >> > > > > > > > we
> >> > > > > > > > > > had
> >> > > > > > > > > > > > on
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > https://issues.apache.org/
> >> > > > > > > > > > > > > jira/browse/KAFKA-4454,
> >> > > > > > > > > > > > > > > we
> >> > > > > > > > > > > > > > > >> > > thought
> >> > > > > > > > > > > > > > > >> > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > it
> >> > > > > > > > > > > > > > > >> > > > > > > > > > would
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > be good to make
> >> kafka-acl
> >> > > tool
> >> > > > > > > > changes,
> >> > > > > > > > > to
> >> > > > > > > > > > > > make
> >> > > > > > > > > > > > > it
> >> > > > > > > > > > > > > > > >> > flexible
> >> > > > > > > > > > > > > > > >> > > > and
> >> > > > > > > > > > > > > > > >> > > > > > we
> >> > > > > > > > > > > > > > > >> > > > > > > > > might
> >> > > > > > > > > > > > > > > >> > > > > > > > > > be
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > even able to use it
> in
> >> > > future.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > It seems it's simpler
> >> if
> >> > > > > kafka-acl
> >> > > > > > > > > doesn't
> >> > > > > > > > > > > to
> >> > > > > > > > > > > > > need
> >> > > > > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > understand
> >> > > > > > > > > > > > > > > >> > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > principal builder.
> The
> >> > tool
> >> > > > does
> >> > > > > > > > > > > authorization
> >> > > > > > > > > > > > > > based
> >> > > > > > > > > > > > > > > >> on a
> >> > > > > > > > > > > > > > > >> > > > > string
> >> > > > > > > > > > > > > > > >> > > > > > > > name,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > which is expected to
> >> match
> >> > > the
> >> > > > > > > > principal
> >> > > > > > > > > > > name.
> >> > > > > > > > > > > > > > So, I
> >> > > > > > > > > > > > > > > >> am
> >> > > > > > > > > > > > > > > >> > > > > wondering
> >> > > > > > > > > > > > > > > >> > > > > > > why
> >> > > > > > > > > > > > > > > >> > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > tool needs to know
> the
> >> > > > principal
> >> > > > > > > > > builder.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> If we don't
> make
> >> > this
> >> > > > > > change,
> >> > > > > > > I
> >> > > > > > > > am
> >> > > > > > > > > > not
> >> > > > > > > > > > > > > sure
> >> > > > > > > > > > > > > > > how
> >> > > > > > > > > > > > > > > >> > > > > clients/end
> >> > > > > > > > > > > > > > > >> > > > > > > > users
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > will be able to use
> >> this
> >> > > tool
> >> > > > if
> >> > > > > > > they
> >> > > > > > > > > have
> >> > > > > > > > > > > > there
> >> > > > > > > > > > > > > > own
> >> > > > > > > > > > > > > > > >> > > > Authorizer
> >> > > > > > > > > > > > > > > >> > > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > > > does
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Authorization based
> on
> >> > > > > Principal,
> >> > > > > > > that
> >> > > > > > > > > has
> >> > > > > > > > > > > > more
> >> > > > > > > > > > > > > > > >> > information
> >> > > > > > > > > > > > > > > >> > > > > apart
> >> > > > > > > > > > > > > > > >> > > > > > > > from
> >> > > > > > > > > > > > > > > >> > > > > > > > > > name
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > and type.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > What if we only make
> >> the
> >> > > > > following
> >> > > > > > > > > > changes:
> >> > > > > > > > > > > > pass
> >> > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> java
> >> > > > > > > > > > > > > > > >> > > > > > principal
> >> > > > > > > > > > > > > > > >> > > > > > > > in
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > session and in
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > SimpleAuthorizer,
> >> > construct
> >> > > > > > > > > KafkaPrincipal
> >> > > > > > > > > > > > from
> >> > > > > > > > > > > > > > java
> >> > > > > > > > > > > > > > > >> > > > principal
> >> > > > > > > > > > > > > > > >> > > > > > > name.
> >> > > > > > > > > > > > > > > >> > > > > > > > > Will
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > that work for
> LinkedIn?
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> This can work
> for
> >> > > > Linkedin
> >> > > > > > but
> >> > > > > > > > as
> >> > > > > > > > > > > > > explained
> >> > > > > > > > > > > > > > > >> above,
> >> > > > > > > > > > > > > > > >> > it
> >> > > > > > > > > > > > > > > >> > > > > does
> >> > > > > > > > > > > > > > > >> > > > > > > not
> >> > > > > > > > > > > > > > > >> > > > > > > > > seem
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > like a complete
> design
> >> > from
> >> > > > open
> >> > > > > > > > source
> >> > > > > > > > > > > point
> >> > > > > > > > > > > > of
> >> > > > > > > > > > > > > > > view.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > On Thu, Feb 9, 2017
> at
> >> > 11:29
> >> > > > AM,
> >> > > > > > Jun
> >> > > > > > > > > Rao <
> >> > > > > > > > > > > > > > > >> > j...@confluent.io
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > > > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Hi, Mayuresh,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks for the
> >> reply. A
> >> > > few
> >> > > > > more
> >> > > > > > > > > > comments
> >> > > > > > > > > > > > > below.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > On Wed, Feb 8, 2017
> >> at
> >> > > 9:14
> >> > > > > PM,
> >> > > > > > > > > Mayuresh
> >> > > > > > > > > > > > > Gharat
> >> > > > > > > > > > > > > > <
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > gharatmayures...@gmail.com>
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Hi Jun,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks for the
> >> review.
> >> > > > > Please
> >> > > > > > > find
> >> > > > > > > > > the
> >> > > > > > > > > > > > > > responses
> >> > > > > > > > > > > > > > > >> > > inline.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 1. It seems the
> >> > problem
> >> > > > that
> >> > > > > > you
> >> > > > > > > > are
> >> > > > > > > > > > > > trying
> >> > > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> > address
> >> > > > > > > > > > > > > > > >> > > is
> >> > > > > > > > > > > > > > > >> > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > > java
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > principal
> returned
> >> > from
> >> > > > > > > > KafkaChannel
> >> > > > > > > > > > may
> >> > > > > > > > > > > > > have
> >> > > > > > > > > > > > > > > >> > > additional
> >> > > > > > > > > > > > > > > >> > > > > > fields
> >> > > > > > > > > > > > > > > >> > > > > > > > > than
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > name
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > that are needed
> >> during
> >> > > > > > > > > authorization.
> >> > > > > > > > > > > Have
> >> > > > > > > > > > > > > you
> >> > > > > > > > > > > > > > > >> > > > considered a
> >> > > > > > > > > > > > > > > >> > > > > > > > > > customized
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > PrincipleBuilder
> >> that
> >> > > > > extracts
> >> > > > > > > all
> >> > > > > > > > > > > needed
> >> > > > > > > > > > > > > > fields
> >> > > > > > > > > > > > > > > >> from
> >> > > > > > > > > > > > > > > >> > > > java
> >> > > > > > > > > > > > > > > >> > > > > > > > > principal
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > and
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > squeezes them as
> a
> >> > json
> >> > > in
> >> > > > > the
> >> > > > > > > > name
> >> > > > > > > > > of
> >> > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> returned
> >> > > > > > > > > > > > > > > >> > > > > > principal?
> >> > > > > > > > > > > > > > > >> > > > > > > > > Then,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > authorizer can
> just
> >> > > parse
> >> > > > > the
> >> > > > > > > json
> >> > > > > > > > > and
> >> > > > > > > > > > > > > extract
> >> > > > > > > > > > > > > > > >> needed
> >> > > > > > > > > > > > > > > >> > > > > fields.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> Yes we had
> >> > thought
> >> > > > > about
> >> > > > > > > > this.
> >> > > > > > > > > We
> >> > > > > > > > > > > > use a
> >> > > > > > > > > > > > > > > third
> >> > > > > > > > > > > > > > > >> > > party
> >> > > > > > > > > > > > > > > >> > > > > > > library
> >> > > > > > > > > > > > > > > >> > > > > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > takes
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > in the passed in
> >> cert
> >> > > and
> >> > > > > > > creates
> >> > > > > > > > > the
> >> > > > > > > > > > > > > > Principal.
> >> > > > > > > > > > > > > > > >> This
> >> > > > > > > > > > > > > > > >> > > > > > Principal
> >> > > > > > > > > > > > > > > >> > > > > > > > is
> >> > > > > > > > > > > > > > > >> > > > > > > > > > then
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > used by the
> >> library to
> >> > > > make
> >> > > > > > the
> >> > > > > > > > > > decision
> >> > > > > > > > > > > > > > > >> (ALLOW/DENY)
> >> > > > > > > > > > > > > > > >> > > > when
> >> > > > > > > > > > > > > > > >> > > > > we
> >> > > > > > > > > > > > > > > >> > > > > > > > call
> >> > > > > > > > > > > > > > > >> > > > > > > > > it
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > in
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the Authorizer.
> It
> >> > does
> >> > > > not
> >> > > > > > have
> >> > > > > > > > an
> >> > > > > > > > > > API
> >> > > > > > > > > > > to
> >> > > > > > > > > > > > > > > create
> >> > > > > > > > > > > > > > > >> the
> >> > > > > > > > > > > > > > > >> > > > > > Principal
> >> > > > > > > > > > > > > > > >> > > > > > > > > from
> >> > > > > > > > > > > > > > > >> > > > > > > > > > a
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > String. If it did
> >> > > support,
> >> > > > > > still
> >> > > > > > > > we
> >> > > > > > > > > > > would
> >> > > > > > > > > > > > > have
> >> > > > > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> be
> >> > > > > > > > > > > > > > > >> > > > aware
> >> > > > > > > > > > > > > > > >> > > > > of
> >> > > > > > > > > > > > > > > >> > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > internal
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > details of the
> >> > library,
> >> > > > like
> >> > > > > > the
> >> > > > > > > > > field
> >> > > > > > > > > > > > > values
> >> > > > > > > > > > > > > > it
> >> > > > > > > > > > > > > > > >> > > creates
> >> > > > > > > > > > > > > > > >> > > > > from
> >> > > > > > > > > > > > > > > >> > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > certs,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > defaults and so
> on.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 2. Could you
> >> explain
> >> > how
> >> > > > the
> >> > > > > > > > default
> >> > > > > > > > > > > > > > authorizer
> >> > > > > > > > > > > > > > > >> works
> >> > > > > > > > > > > > > > > >> > > > now?
> >> > > > > > > > > > > > > > > >> > > > > > > > > Currently,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > code just
> compares
> >> the
> >> > > two
> >> > > > > > > > principal
> >> > > > > > > > > > > > > objects.
> >> > > > > > > > > > > > > > > Are
> >> > > > > > > > > > > > > > > >> we
> >> > > > > > > > > > > > > > > >> > > > > > converting
> >> > > > > > > > > > > > > > > >> > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > java
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > principal to a
> >> > > > > KafkaPrincipal
> >> > > > > > > > there?
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> The
> >> > > > SimpleAclAuthorizer
> >> > > > > > > > > currently
> >> > > > > > > > > > > > > expects
> >> > > > > > > > > > > > > > > >> that,
> >> > > > > > > > > > > > > > > >> > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > Principal
> >> > > > > > > > > > > > > > > >> > > > > > > > > it
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > fetches from the
> >> > Session
> >> > > > > > object
> >> > > > > > > is
> >> > > > > > > > > an
> >> > > > > > > > > > > > > instance
> >> > > > > > > > > > > > > > > of
> >> > > > > > > > > > > > > > > >> > > > > > > KafkaPrincipal.
> >> > > > > > > > > > > > > > > >> > > > > > > > > It
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > then
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > uses it compare
> >> with
> >> > the
> >> > > > > > > > > > KafkaPrincipal
> >> > > > > > > > > > > > > > > extracted
> >> > > > > > > > > > > > > > > >> > from
> >> > > > > > > > > > > > > > > >> > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > stored
> >> > > > > > > > > > > > > > > >> > > > > > > > > > ACLs.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > In
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > this case, we can
> >> > > > construct
> >> > > > > > the
> >> > > > > > > > > > > > > KafkaPrincipal
> >> > > > > > > > > > > > > > > >> object
> >> > > > > > > > > > > > > > > >> > > on
> >> > > > > > > > > > > > > > > >> > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > fly
> >> > > > > > > > > > > > > > > >> > > > > > > > by
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > using
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the name of the
> >> > > Principal
> >> > > > as
> >> > > > > > > > > follows :
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > *val principal =
> >> > > > > > > > session.principal*
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > *val
> >> kafkaPrincipal =
> >> > > new
> >> > > > > > > > > > > > > > > >> > > KafkaPrincipal(KafkaPrincipal.
> >> > > > > > > > > > > > > > > >> > > > > > > > USER_TYPE,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> principal.getName)*
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > I was also
> >> planning to
> >> > > get
> >> > > > > rid
> >> > > > > > > of
> >> > > > > > > > > the
> >> > > > > > > > > > > > > > > >> principalType
> >> > > > > > > > > > > > > > > >> > > field
> >> > > > > > > > > > > > > > > >> > > > > in
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > KafkaPrincipal as
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > it is always set
> to
> >> > > > > *"*User*"*
> >> > > > > > > in
> >> > > > > > > > > the
> >> > > > > > > > > > > > > > > SocketServer
> >> > > > > > > > > > > > > > > >> > > > > currently.
> >> > > > > > > > > > > > > > > >> > > > > > > > After
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > this
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > KIP, it will no
> >> longer
> >> > > be
> >> > > > > used
> >> > > > > > > in
> >> > > > > > > > > > > > > > SocketServer.
> >> > > > > > > > > > > > > > > >> But
> >> > > > > > > > > > > > > > > >> > to
> >> > > > > > > > > > > > > > > >> > > > > > maintain
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > backwards
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > compatibility of
> >> > > > > > kafka-acls.sh,
> >> > > > > > > I
> >> > > > > > > > > > > > preserved
> >> > > > > > > > > > > > > > it.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > This is so that in
> >> the
> >> > > > future,
> >> > > > > > we
> >> > > > > > > > can
> >> > > > > > > > > > > extend
> >> > > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> types
> >> > > > > > > > > > > > > > > >> > > like
> >> > > > > > > > > > > > > > > >> > > > > > group.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 3. Do we need to
> >> add
> >> > the
> >> > > > > > > following
> >> > > > > > > > > > > method
> >> > > > > > > > > > > > in
> >> > > > > > > > > > > > > > > >> > > > > > PrincipalBuilder?
> >> > > > > > > > > > > > > > > >> > > > > > > > The
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > configs
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > are already
> passed
> >> in
> >> > > > > through
> >> > > > > > > > > > > configure()
> >> > > > > > > > > > > > > and
> >> > > > > > > > > > > > > > an
> >> > > > > > > > > > > > > > > >> > > > > > implementation
> >> > > > > > > > > > > > > > > >> > > > > > > > can
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > cache
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > it and use it in
> >> > > > > > > buildPrincipal().
> >> > > > > > > > > > It's
> >> > > > > > > > > > > > also
> >> > > > > > > > > > > > > > not
> >> > > > > > > > > > > > > > > >> > clear
> >> > > > > > > > > > > > > > > >> > > to
> >> > > > > > > > > > > > > > > >> > > > > me
> >> > > > > > > > > > > > > > > >> > > > > > > > where
> >> > > > > > > > > > > > > > > >> > > > > > > > > we
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > call
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the new and the
> old
> >> > > > method,
> >> > > > > > and
> >> > > > > > > > > > whether
> >> > > > > > > > > > > > both
> >> > > > > > > > > > > > > > > will
> >> > > > > > > > > > > > > > > >> be
> >> > > > > > > > > > > > > > > >> > > > called
> >> > > > > > > > > > > > > > > >> > > > > > or
> >> > > > > > > > > > > > > > > >> > > > > > > > one
> >> > > > > > > > > > > > > > > >> > > > > > > > > of
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > them
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > will be called.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Principal
> >> > > > > > > > buildPrincipal(Map<String,
> >> > > > > > > > > > ?>
> >> > > > > > > > > > > > > > > >> > > > principalConfigs);
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> My thought
> was
> >> > that
> >> > > > the
> >> > > > > > > > > > configure()
> >> > > > > > > > > > > > > > method
> >> > > > > > > > > > > > > > > >> will
> >> > > > > > > > > > > > > > > >> > be
> >> > > > > > > > > > > > > > > >> > > > > used
> >> > > > > > > > > > > > > > > >> > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > build
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > PrincipalBuilder
> >> class
> >> > > > > object
> >> > > > > > > > > itself.
> >> > > > > > > > > > It
> >> > > > > > > > > > > > > > follows
> >> > > > > > > > > > > > > > > >> the
> >> > > > > > > > > > > > > > > >> > > same
> >> > > > > > > > > > > > > > > >> > > > > way
> >> > > > > > > > > > > > > > > >> > > > > > > as
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Authorizer
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > gets configured.
> >> The
> >> > > > > > > > > > > > > > buildPrincipal(Map<String,
> >> > > > > > > > > > > > > > > ?>
> >> > > > > > > > > > > > > > > >> > > > > > > > > principalConfigs)
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > will
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > be used to build
> >> > > > individual
> >> > > > > > > > > > principals.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Let me give an
> >> > example,
> >> > > > with
> >> > > > > > the
> >> > > > > > > > > > > > > > kafka-acls.sh :
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >    -
> >> bin/kafka-acls.sh
> >> > > > > > > > > > > --principalBuilder
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > userDefinedPackage.kafka.
> >> > > > > > > > > > > > > > > >> > security.PrincipalBuilder
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > --principalBuilder-properties
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > principalBuilderService.rest.u
> >> > > > > > > > > > rl=URL
> >> > > > > > > > > > > > > > > >> > --authorizer
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > kafka.security.auth.
> >> > > > > > > > > > > > SimpleAclAuthorizer
> >> > > > > > > > > > > > > > > >> > > > > > > > --authorizer-properties
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > zookeeper.connect=localhost:
> >> > > > > > > > 2181
> >> > > > > > > > > > > --add
> >> > > > > > > > > > > > > > > >> > > > > --allow-principal
> >> > > > > > > > > > > > > > > >> > > > > > > > > name=bob
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> type=USER_PRINCIPAL
> >> > > > > > > > > > --allow-principal
> >> > > > > > > > > > > > > > > >> > > > > > > name=ALPHA-GAMMA-SERVICE
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > type=SERVICE_PRINCIPAL
> >> > > > > > > > > > --allow-hosts
> >> > > > > > > > > > > > > > > >> Host1,Host2
> >> > > > > > > > > > > > > > > >> > > > > > > --operations
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Read,Write
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >    --topic
> >> Test-topic
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >       1.
> >> > > > > > > > *userDefinedPackage.kafka.
> >> > > > > > > > > > > > > > > >> > > > > > security.PrincipalBuilder*
> >> > > > > > > > > > > > > > > >> > > > > > > is
> >> > > > > > > > > > > > > > > >> > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > user
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >       defined
> >> > > > > PrincipalBuilder
> >> > > > > > > > > class.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >       2.
> >> > > > > > > > > > *principalBuilderService.rest.
> >> > > > > > > > > > > > > > url=URL*
> >> > > > > > > > > > > > > > > >> can
> >> > > > > > > > > > > > > > > >> > > be a
> >> > > > > > > > > > > > > > > >> > > > > > > remote
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > service
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >       that
> provides
> >> > you
> >> > > an
> >> > > > > > HTTP
> >> > > > > > > > > > endpoint
> >> > > > > > > > > > > > > which
> >> > > > > > > > > > > > > > > >> takes
> >> > > > > > > > > > > > > > > >> > > in a
> >> > > > > > > > > > > > > > > >> > > > > set
> >> > > > > > > > > > > > > > > >> > > > > > > of
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > parameters and
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >       provides
> you
> >> > with
> >> > > > the
> >> > > > > > > > > Principal.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >       3.
> *name=bob
> >> > > > > > > > > > type=USER_PRINCIPAL*
> >> > > > > > > > > > > > can
> >> > > > > > > > > > > > > be
> >> > > > > > > > > > > > > > > >> used
> >> > > > > > > > > > > > > > > >> > by
> >> > > > > > > > > > > > > > > >> > > > > > > > > > PrincipalBuilder
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >       create
> >> > > UserPrincipal
> >> > > > > > with
> >> > > > > > > > name
> >> > > > > > > > > > as
> >> > > > > > > > > > > > bob
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >       4.
> >> > > > > > > *name=ALPHA-GAMMA-SERVICE
> >> > > > > > > > > > > > > > > >> > > type=SERVICE_PRINCIPAL
> >> > > > > > > > > > > > > > > >> > > > > > *can
> >> > > > > > > > > > > > > > > >> > > > > > > be
> >> > > > > > > > > > > > > > > >> > > > > > > > > > used
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > by
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >>  PrincipalBuilder
> >> > > to
> >> > > > > > > create a
> >> > > > > > > > > > > > > > > >> ServicePrincipal
> >> > > > > > > > > > > > > > > >> > > with
> >> > > > > > > > > > > > > > > >> > > > > name
> >> > > > > > > > > > > > > > > >> > > > > > > as
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > >  ALPHA-GAMMA-SERVICE.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >    - This seems
> >> more
> >> > > > > flexible
> >> > > > > > > and
> >> > > > > > > > > > > > intuitive
> >> > > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > me
> >> > > > > > > > > > > > > > > >> > from
> >> > > > > > > > > > > > > > > >> > > > end
> >> > > > > > > > > > > > > > > >> > > > > > > user's
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >    perspective.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Hmm, normally, the
> >> > > > > > configurations
> >> > > > > > > > you
> >> > > > > > > > > > > > specify
> >> > > > > > > > > > > > > > for
> >> > > > > > > > > > > > > > > >> > > plug-ins
> >> > > > > > > > > > > > > > > >> > > > > > refer
> >> > > > > > > > > > > > > > > >> > > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > > those
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > needed to construct
> >> the
> >> > > > > plug-in
> >> > > > > > > > > object.
> >> > > > > > > > > > > So,
> >> > > > > > > > > > > > > it's
> >> > > > > > > > > > > > > > > >> kind
> >> > > > > > > > > > > > > > > >> > of
> >> > > > > > > > > > > > > > > >> > > > > weird
> >> > > > > > > > > > > > > > > >> > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > use
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > to call a method.
> For
> >> > > > example,
> >> > > > > > why
> >> > > > > > > > > can't
> >> > > > > > > > > > > > > > > >> > > > > > > > >
> >> principalBuilderService.rest.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > url
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > be passed in
> through
> >> the
> >> > > > > > > configure()
> >> > > > > > > > > > > method
> >> > > > > > > > > > > > > and
> >> > > > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > implementation
> >> > > > > > > > > > > > > > > >> > > > > > > > > can
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > use
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > that to build
> >> principal.
> >> > > > This
> >> > > > > > way,
> >> > > > > > > > > there
> >> > > > > > > > > > > is
> >> > > > > > > > > > > > > > only a
> >> > > > > > > > > > > > > > > >> > single
> >> > > > > > > > > > > > > > > >> > > > > > method
> >> > > > > > > > > > > > > > > >> > > > > > > to
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > compute
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > the principal in a
> >> > > > consistent
> >> > > > > > way
> >> > > > > > > in
> >> > > > > > > > > the
> >> > > > > > > > > > > > > broker
> >> > > > > > > > > > > > > > > and
> >> > > > > > > > > > > > > > > >> in
> >> > > > > > > > > > > > > > > >> > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > kafka-acl
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > tool.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > For LinkedIn's use
> >> case,
> >> > > do
> >> > > > > you
> >> > > > > > > > > actually
> >> > > > > > > > > > > use
> >> > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > kafka-acl
> >> > > > > > > > > > > > > > > >> > > > > > tool?
> >> > > > > > > > > > > > > > > >> > > > > > > My
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > understanding is
> that
> >> > > > LinkedIn
> >> > > > > > > does
> >> > > > > > > > > > > > > > authorization
> >> > > > > > > > > > > > > > > >> > through
> >> > > > > > > > > > > > > > > >> > > > an
> >> > > > > > > > > > > > > > > >> > > > > > > > external
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > tool.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > It seems it's
> >> simpler if
> >> > > > > > kafka-acl
> >> > > > > > > > > > doesn't
> >> > > > > > > > > > > > to
> >> > > > > > > > > > > > > > need
> >> > > > > > > > > > > > > > > >> to
> >> > > > > > > > > > > > > > > >> > > > > > understand
> >> > > > > > > > > > > > > > > >> > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > principal builder.
> >> The
> >> > > tool
> >> > > > > does
> >> > > > > > > > > > > > authorization
> >> > > > > > > > > > > > > > > based
> >> > > > > > > > > > > > > > > >> > on a
> >> > > > > > > > > > > > > > > >> > > > > > string
> >> > > > > > > > > > > > > > > >> > > > > > > > > name,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > which is expected
> to
> >> > match
> >> > > > the
> >> > > > > > > > > principal
> >> > > > > > > > > > > > name.
> >> > > > > > > > > > > > > > So,
> >> > > > > > > > > > > > > > > >> I am
> >> > > > > > > > > > > > > > > >> > > > > > wondering
> >> > > > > > > > > > > > > > > >> > > > > > > > why
> >> > > > > > > > > > > > > > > >> > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > tool needs to know
> >> the
> >> > > > > principal
> >> > > > > > > > > > builder.
> >> > > > > > > > > > > > What
> >> > > > > > > > > > > > > > if
> >> > > > > > > > > > > > > > > we
> >> > > > > > > > > > > > > > > >> > only
> >> > > > > > > > > > > > > > > >> > > > > make
> >> > > > > > > > > > > > > > > >> > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > following changes:
> >> pass
> >> > > the
> >> > > > > java
> >> > > > > > > > > > principal
> >> > > > > > > > > > > > in
> >> > > > > > > > > > > > > > > >> session
> >> > > > > > > > > > > > > > > >> > and
> >> > > > > > > > > > > > > > > >> > > > in
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > SimpleAuthorizer,
> >> > > construct
> >> > > > > > > > > > KafkaPrincipal
> >> > > > > > > > > > > > > from
> >> > > > > > > > > > > > > > > java
> >> > > > > > > > > > > > > > > >> > > > > principal
> >> > > > > > > > > > > > > > > >> > > > > > > > name.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > Will
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > that work for
> >> LinkedIn?
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Principal
> >> > > > > > > > buildPrincipal(Map<String,
> >> > > > > > > > > > ?>
> >> > > > > > > > > > > > > > > >> > > principalConfigs)
> >> > > > > > > > > > > > > > > >> > > > > > will
> >> > > > > > > > > > > > > > > >> > > > > > > be
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > called
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > from the
> >> commandline
> >> > > > client
> >> > > > > > > > > > > kafka-acls.sh
> >> > > > > > > > > > > > > > while
> >> > > > > > > > > > > > > > > >> the
> >> > > > > > > > > > > > > > > >> > > other
> >> > > > > > > > > > > > > > > >> > > > > API
> >> > > > > > > > > > > > > > > >> > > > > > > can
> >> > > > > > > > > > > > > > > >> > > > > > > > > be
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > called
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > at runtime when
> >> Kafka
> >> > > > > > receives a
> >> > > > > > > > > > client
> >> > > > > > > > > > > > > > request
> >> > > > > > > > > > > > > > > >> over
> >> > > > > > > > > > > > > > > >> > > > > request
> >> > > > > > > > > > > > > > > >> > > > > > > > > channel.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 4. The KIP has
> "If
> >> > users
> >> > > > use
> >> > > > > > > there
> >> > > > > > > > > > > custom
> >> > > > > > > > > > > > > > > >> > > > PrincipalBuilder,
> >> > > > > > > > > > > > > > > >> > > > > > > they
> >> > > > > > > > > > > > > > > >> > > > > > > > > will
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > have
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > to implement
> there
> >> > > custom
> >> > > > > > > > Authorizer
> >> > > > > > > > > > as
> >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > out
> >> > > > > > > > > > > > > > > of
> >> > > > > > > > > > > > > > > >> > box
> >> > > > > > > > > > > > > > > >> > > > > > > Authorizer
> >> > > > > > > > > > > > > > > >> > > > > > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Kafka provides
> uses
> >> > > > > > > > KafkaPrincipal."
> >> > > > > > > > > > > This
> >> > > > > > > > > > > > is
> >> > > > > > > > > > > > > > not
> >> > > > > > > > > > > > > > > >> > ideal
> >> > > > > > > > > > > > > > > >> > > > for
> >> > > > > > > > > > > > > > > >> > > > > > > > existing
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > users.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Could we avoid
> >> that?
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> Yes, this is
> >> > > possible
> >> > > > > to
> >> > > > > > > > avoid
> >> > > > > > > > > if
> >> > > > > > > > > > > we
> >> > > > > > > > > > > > do
> >> > > > > > > > > > > > > > > >> point 2.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > On Wed, Feb 8,
> >> 2017 at
> >> > > > 3:31
> >> > > > > > PM,
> >> > > > > > > > Jun
> >> > > > > > > > > > Rao
> >> > > > > > > > > > > <
> >> > > > > > > > > > > > > > > >> > > > j...@confluent.io>
> >> > > > > > > > > > > > > > > >> > > > > > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Hi, Mayuresh,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks for the
> >> KIP.
> >> > A
> >> > > > few
> >> > > > > > > > comments
> >> > > > > > > > > > > > below.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 1. It seems the
> >> > > problem
> >> > > > > that
> >> > > > > > > you
> >> > > > > > > > > are
> >> > > > > > > > > > > > > trying
> >> > > > > > > > > > > > > > to
> >> > > > > > > > > > > > > > > >> > > address
> >> > > > > > > > > > > > > > > >> > > > is
> >> > > > > > > > > > > > > > > >> > > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > > > java
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > principal
> >> returned
> >> > > from
> >> > > > > > > > > KafkaChannel
> >> > > > > > > > > > > may
> >> > > > > > > > > > > > > > have
> >> > > > > > > > > > > > > > > >> > > > additional
> >> > > > > > > > > > > > > > > >> > > > > > > fields
> >> > > > > > > > > > > > > > > >> > > > > > > > > > than
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > name
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > that are needed
> >> > during
> >> > > > > > > > > > authorization.
> >> > > > > > > > > > > > Have
> >> > > > > > > > > > > > > > you
> >> > > > > > > > > > > > > > > >> > > > > considered a
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > customized
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> PrincipleBuilder
> >> > that
> >> > > > > > extracts
> >> > > > > > > > all
> >> > > > > > > > > > > > needed
> >> > > > > > > > > > > > > > > fields
> >> > > > > > > > > > > > > > > >> > from
> >> > > > > > > > > > > > > > > >> > > > > java
> >> > > > > > > > > > > > > > > >> > > > > > > > > > principal
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > and
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > squeezes them
> as
> >> a
> >> > > json
> >> > > > in
> >> > > > > > the
> >> > > > > > > > > name
> >> > > > > > > > > > of
> >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> returned
> >> > > > > > > > > > > > > > > >> > > > > > > principal?
> >> > > > > > > > > > > > > > > >> > > > > > > > > > Then,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > authorizer can
> >> just
> >> > > > parse
> >> > > > > > the
> >> > > > > > > > json
> >> > > > > > > > > > and
> >> > > > > > > > > > > > > > extract
> >> > > > > > > > > > > > > > > >> > needed
> >> > > > > > > > > > > > > > > >> > > > > > fields.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 2. Could you
> >> explain
> >> > > how
> >> > > > > the
> >> > > > > > > > > default
> >> > > > > > > > > > > > > > > authorizer
> >> > > > > > > > > > > > > > > >> > works
> >> > > > > > > > > > > > > > > >> > > > > now?
> >> > > > > > > > > > > > > > > >> > > > > > > > > > Currently,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > code just
> >> compares
> >> > the
> >> > > > two
> >> > > > > > > > > principal
> >> > > > > > > > > > > > > > objects.
> >> > > > > > > > > > > > > > > >> Are
> >> > > > > > > > > > > > > > > >> > we
> >> > > > > > > > > > > > > > > >> > > > > > > converting
> >> > > > > > > > > > > > > > > >> > > > > > > > > the
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > java
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > principal to a
> >> > > > > > KafkaPrincipal
> >> > > > > > > > > there?
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 3. Do we need
> to
> >> add
> >> > > the
> >> > > > > > > > following
> >> > > > > > > > > > > > method
> >> > > > > > > > > > > > > in
> >> > > > > > > > > > > > > > > >> > > > > > > PrincipalBuilder?
> >> > > > > > > > > > > > > > > >> > > > > > > > > The
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > configs
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > are already
> >> passed
> >> > in
> >> > > > > > through
> >> > > > > > > > > > > > configure()
> >> > > > > > > > > > > > > > and
> >> > > > > > > > > > > > > > > an
> >> > > > > > > > > > > > > > > >> > > > > > > implementation
> >> > > > > > > > > > > > > > > >> > > > > > > > > can
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > cache
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > it and use it
> in
> >> > > > > > > > buildPrincipal().
> >> > > > > > > > > > > It's
> >> > > > > > > > > > > > > also
> >> > > > > > > > > > > > > > > not
> >> > > > > > > > > > > > > > > >> > > clear
> >> > > > > > > > > > > > > > > >> > > > to
> >> > > > > > > > > > > > > > > >> > > > > > me
> >> > > > > > > > > > > > > > > >> > > > > > > > > where
> >> > > > > > > > > > > > > > > >> > > > > > > > > > we
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > call
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > the new and the
> >> old
> >> > > > > method,
> >> > > > > > > and
> >> > > > > > > > > > > whether
> >> > > > > > > > > > > > > both
> >> > > > > > > > > > > > > > > >> will
> >> > > > > > > > > > > > > > > >> > be
> >> > > > > > > > > > > > > > > >> > > > > called
> >> > > > > > > > > > > > > > > >> > > > > > > or
> >> > > > > > > > > > > > > > > >> > > > > > > > > one
> >> > > > > > > > > > > > > > > >> > > > > > > > > > of
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > them
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > will be called.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Principal
> >> > > > > > > > > buildPrincipal(Map<String,
> >> > > > > > > > > > > ?>
> >> > > > > > > > > > > > > > > >> > > > > principalConfigs);
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 4. The KIP has
> >> "If
> >> > > users
> >> > > > > use
> >> > > > > > > > there
> >> > > > > > > > > > > > custom
> >> > > > > > > > > > > > > > > >> > > > > PrincipalBuilder,
> >> > > > > > > > > > > > > > > >> > > > > > > > they
> >> > > > > > > > > > > > > > > >> > > > > > > > > > will
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > have
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > to implement
> >> there
> >> > > > custom
> >> > > > > > > > > Authorizer
> >> > > > > > > > > > > as
> >> > > > > > > > > > > > > the
> >> > > > > > > > > > > > > > > out
> >> > > > > > > > > > > > > > > >> of
> >> > > > > > > > > > > > > > > >> > > box
> >> > > > > > > > > > > > > > > >> > > > > > > > Authorizer
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > that
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Kafka provides
> >> uses
> >> > > > > > > > > KafkaPrincipal."
> >> > > > > > > > > > > > This
> >> > > > > > > > > > > > > is
> >> > > > > > > > > > > > > > > not
> >> > > > > > > > > > > > > > > >> > > ideal
> >> > > > > > > > > > > > > > > >> > > > > for
> >> > > > > > > > > > > > > > > >> > > > > > > > > existing
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > users.
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Could we avoid
> >> that?
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Jun
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > On Fri, Feb 3,
> >> 2017
> >> > at
> >> > > > > 11:25
> >> > > > > > > AM,
> >> > > > > > > > > > > > Mayuresh
> >> > > > > > > > > > > > > > > >> Gharat <
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > gharatmayures...@gmail.com
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > wrote:
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Hi All,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > It seems that
> >> > there
> >> > > is
> >> > > > > no
> >> > > > > > > > > further
> >> > > > > > > > > > > > > concern
> >> > > > > > > > > > > > > > > with
> >> > > > > > > > > > > > > > > >> > the
> >> > > > > > > > > > > > > > > >> > > > > > KIP-111.
> >> > > > > > > > > > > > > > > >> > > > > > > > At
> >> > > > > > > > > > > > > > > >> > > > > > > > > > this
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > point
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > we would like
> >> to
> >> > > start
> >> > > > > the
> >> > > > > > > > > voting
> >> > > > > > > > > > > > > process.
> >> > > > > > > > > > > > > > > The
> >> > > > > > > > > > > > > > > >> > KIP
> >> > > > > > > > > > > > > > > >> > > > can
> >> > > > > > > > > > > > > > > >> > > > > be
> >> > > > > > > > > > > > > > > >> > > > > > > > found
> >> > > > > > > > > > > > > > > >> > > > > > > > > > at
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
> >> > > > > https://cwiki.apache.org/
> >> > > > > > > > > > > > > > > >> > confluence/pages/viewpage
> >> > > > > > > > > > > > > > > >> > > .
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > action?pageId=67638388
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Mayuresh
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > --
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > -Regards,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh R.
> Gharat
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > (862) 250-7125
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Jun
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > --
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > -Regards,
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh R. Gharat
> >> > > > > > > > > > > > > > > >> > > > > > > > > > > (862) 250-7125
> >> > > > > > > > > > > > > > > >> > > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > > >
> >> > > > > > > > > > > > > > > >> > > > > >
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > > > --
> >> > > > > > > > > > > > > > > >> > > > > -Regards,
> >> > > > > > > > > > > > > > > >> > > > > Mayuresh R. Gharat
> >> > > > > > > > > > > > > > > >> > > > > (862) 250-7125
> >> > > > > > > > > > > > > > > >> > > > >
> >> > > > > > > > > > > > > > > >> > > >
> >> > > > > > > > > > > > > > > >> > >
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >> > --
> >> > > > > > > > > > > > > > > >> > -Regards,
> >> > > > > > > > > > > > > > > >> > Mayuresh R. Gharat
> >> > > > > > > > > > > > > > > >> > (862) 250-7125
> >> > > > > > > > > > > > > > > >> >
> >> > > > > > > > > > > > > > > >>
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > > --
> >> > > > > > > > > > > > > > > > -Regards,
> >> > > > > > > > > > > > > > > > Mayuresh R. Gharat
> >> > > > > > > > > > > > > > > > (862) 250-7125
> >> > > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > > > --
> >> > > > > > > > > > > > > > > -Regards,
> >> > > > > > > > > > > > > > > Mayuresh R. Gharat
> >> > > > > > > > > > > > > > > (862) 250-7125
> >> > > > > > > > > > > > > > >
> >> > > > > > > > > > > > > >
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > > > --
> >> > > > > > > > > > > > > -Regards,
> >> > > > > > > > > > > > > Mayuresh R. Gharat
> >> > > > > > > > > > > > > (862) 250-7125
> >> > > > > > > > > > > > >
> >> > > > > > > > > > > >
> >> > > > > > > > > > >
> >> > > > > > > > > > >
> >> > > > > > > > > > >
> >> > > > > > > > > > > --
> >> > > > > > > > > > > -Regards,
> >> > > > > > > > > > > Mayuresh R. Gharat
> >> > > > > > > > > > > (862) 250-7125
> >> > > > > > > > > > >
> >> > > > > > > > > >
> >> > > > > > > > >
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > > >
> >> > > > > > > > --
> >> > > > > > > > -Regards,
> >> > > > > > > > Mayuresh R. Gharat
> >> > > > > > > > (862) 250-7125
> >> > > > > > > >
> >> > > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > >
> >> > > > > > --
> >> > > > > > -Regards,
> >> > > > > > Mayuresh R. Gharat
> >> > > > > > (862) 250-7125
> >> > > > > >
> >> > > > >
> >> > > >
> >> > >
> >> > >
> >> > >
> >> > > --
> >> > > -Regards,
> >> > > Mayuresh R. Gharat
> >> > > (862) 250-7125
> >> > >
> >> >
> >>
> >
> >
> >
> > --
> > -Regards,
> > Mayuresh R. Gharat
> > (862) 250-7125
> >
>
>
>
> --
> -Regards,
> Mayuresh R. Gharat
> (862) 250-7125
>

Reply via email to