Hi Jun, Please find the replies inline.
One reason to have KafkaPrincipal in ACL is that we can extend it to support group in the future. Have you thought about how to support that in your new proposal? ---> This is a feature of PrincipalBuilder and Authorizer, which are pluggable. The type of Principal should be opaque to core Kafka. If we want to add support to group, we can add that to KafkaPrincipal class and modify the SimpleAclAuthorizer to add/modify/check the ACL accordingly. Another reason that we had KafkaPrincipal is simplicity. It can be constructed from a simple string and makes matching easier. If we expose java.security.Principal,then I guess that when an ACL is set, we have to be able to construct a java.security.Principal from some string to match the java.security.Principal generated from the SSL or SASL library. How do we make sure that the same type of java.security.Principal can be created and will match? ----> Again this will be determined by the plugged in Authorizer and PrincipalBuilder. Your PrincipalBuilder can make sure that it creates a Principal whose name matches the string you specified while creating the ACL. The Authorizer should make sure that it extracts the String from the Principal and do the matching. In our earlier discussions, we discussed about having a PrincipalBuilder class specifier as a command line argument for the kafka-acls.sh to handle this case but we decided that it would be an overkill at this stage. Thanks, Mayuresh On Mon, Mar 20, 2017 at 7:42 AM, Jun Rao <j...@confluent.io> wrote: > Hi, Mayuresh, > > One reason to have KafkaPrincipal in ACL is that we can extend it to > support group in the future. Have you thought about how to support that in > your new proposal? > > Another reason that we had KafkaPrincipal is simplicity. It can be > constructed from a simple string and makes matching easier. If we > expose java.security.Principal, > then I guess that when an ACL is set, we have to be able to construct > a java.security.Principal > from some string to match the java.security.Principal generated from the > SSL or SASL library. How do we make sure that the same type of > java.security.Principal > can be created and will match? > > Thanks, > > Jun > > > On Wed, Mar 15, 2017 at 8:48 PM, Mayuresh Gharat < > gharatmayures...@gmail.com > > wrote: > > > Hi Jun, > > > > Sorry for the delayed reply. > > I agree that the easiest thing will be to add an additional field in the > > Session class and we should be OK. > > But having a KafkaPrincipal and java Principal with in the same class > looks > > little weird. > > > > So we can do this and slowly deprecate the usage of KafkaPrincipal in > > public api's. > > > > We add new apis and make changes to the existing apis as follows : > > > > > > - Changes to Session class : > > > > @Deprecated > > case class Session(principal: KafkaPrincipal, clientAddress: > InetAddress) { > > val sanitizedUser = QuotaId.sanitize(principal.getName) > > } > > > > > > *@Deprecated ...... (NEW)* > > > > > > *case class Session(principal: KafkaPrincipal, clientAddress: > InetAddress, > > channelPrincipal: Java.security.Principal) { val sanitizedUser = > > QuotaId.sanitize(principal.getName)}* > > > > *(NEW)* > > > > > > *case class Session(principal: Java.security.Principal, clientAddress: > > InetAddress) { val sanitizedUser = QuotaId.sanitize(principal.get > > Name)}* > > > > > > - Changes to Authorizer Interface : > > > > @Deprecated > > def getAcls(principal: KafkaPrincipal): Map[Resource, Set[Acl]] > > > > *(NEW)* > > *def getAcls(principal: Java.security.Principal): Map[Resource, > Set[Acl]]* > > > > > > - Changes to Acl class : > > > > @Deprecated > > case class Acl(principal: KafkaPrincipal, permissionType: PermissionType, > > host: String, operation: Operation) > > > > *(NEW)* > > > > > > *case class Acl(principal: Java.security.Principal, permissionType: > > PermissionType, host: String, operation: Operation) * > > The one in Bold are the new api's. We will remove them eventually, > probably > > in next major release. > > We don't want to get rid of KafkaPrincipal class and it will be used in > the > > same way as it does right now for out of box authorizer and commandline > > tool. We would only be removing its direct usage from public apis. > > Doing the above deprecation will help us to support other implementation > of > > Java.security.Principal as well which seems necessary especially since > > Kafka provides pluggable Authorizer and PrincipalBuilder. > > > > Let me know your thoughts on this. > > > > Thanks, > > > > Mayuresh > > > > On Tue, Feb 28, 2017 at 2:33 PM, Mayuresh Gharat < > > gharatmayures...@gmail.com > > > wrote: > > > > > Hi Jun, > > > > > > Sure. > > > I had an offline discussion with Joel on how we can deprecate the > > > KafkaPrincipal from Session and Authorizer. > > > I will update the KIP to see if we can address all the concerns here. > If > > > not we can keep the KafkaPrincipal. > > > > > > Thanks, > > > > > > Mayuresh > > > > > > On Tue, Feb 28, 2017 at 1:53 PM, Jun Rao <j...@confluent.io> wrote: > > > > > >> Hi, Joel, > > >> > > >> Good point on the getAcls() method. KafkaPrincipal is also tied to > ACL, > > >> which is used in pretty much every method in Authorizer. Now, I am not > > >> sure > > >> if it's easy to deprecate KafkaPrincipal. > > >> > > >> Hi, Mayuresh, > > >> > > >> Given the above, it seems that the easiest thing is to add a new > > Principal > > >> field in Session. We want to make it clear that it's ignored in the > > >> default > > >> implementation, but a customizer authorizer could take advantage of > > that. > > >> > > >> Thanks, > > >> > > >> Jun > > >> > > >> On Tue, Feb 28, 2017 at 10:52 AM, Joel Koshy <jjkosh...@gmail.com> > > wrote: > > >> > > >> > If we deprecate KafkaPrincipal, then the Authorizer interface will > > also > > >> > need to change - i.e., deprecate the getAcls(KafkaPrincipal) method. > > >> > > > >> > On Tue, Feb 28, 2017 at 10:11 AM, Mayuresh Gharat < > > >> > gharatmayures...@gmail.com> wrote: > > >> > > > >> > > Hi Jun/Ismael, > > >> > > > > >> > > Thanks for the comments. > > >> > > > > >> > > I agree. > > >> > > What I was thinking was, we get the KIP passed now and wait till > > major > > >> > > kafka version release. We can then make this change, but for now > we > > >> can > > >> > > wait. Does that work? > > >> > > > > >> > > If there are concerns, we can make the addition of extra field of > > type > > >> > > Principal to Session and then deprecate the KafkaPrincipal later. > > >> > > > > >> > > I am fine either ways. What do you think? > > >> > > > > >> > > Thanks, > > >> > > > > >> > > Mayuresh > > >> > > > > >> > > On Tue, Feb 28, 2017 at 9:53 AM, Jun Rao <j...@confluent.io> > wrote: > > >> > > > > >> > > > Hi, Ismael, > > >> > > > > > >> > > > Good point on compatibility. > > >> > > > > > >> > > > Hi, Mayuresh, > > >> > > > > > >> > > > Given that, it seems that it's better to just add the raw > > principal > > >> as > > >> > a > > >> > > > new field in Session for now and deprecate the KafkaPrincipal > > field > > >> in > > >> > > the > > >> > > > future if needed? > > >> > > > > > >> > > > Thanks, > > >> > > > > > >> > > > Jun > > >> > > > > > >> > > > On Mon, Feb 27, 2017 at 5:05 PM, Ismael Juma <ism...@juma.me.uk > > > > >> > wrote: > > >> > > > > > >> > > > > Breaking clients without a deprecation period is something we > > >> only do > > >> > > as > > >> > > > a > > >> > > > > last resort. Is there strong justification for doing it here? > > >> > > > > > > >> > > > > Ismael > > >> > > > > > > >> > > > > On Mon, Feb 27, 2017 at 11:28 PM, Mayuresh Gharat < > > >> > > > > gharatmayures...@gmail.com> wrote: > > >> > > > > > > >> > > > > > Hi Ismael, > > >> > > > > > > > >> > > > > > Yeah. I agree that it might break the clients if the user is > > >> using > > >> > > the > > >> > > > > > kafkaPrincipal directly. But since KafkaPrincipal is also a > > Java > > >> > > > > Principal > > >> > > > > > and I think, it would be a right thing to do replace the > > >> > > kafkaPrincipal > > >> > > > > > with Java Principal at this stage than later. > > >> > > > > > > > >> > > > > > We can mention in the KIP, that it would break the clients > > that > > >> are > > >> > > > using > > >> > > > > > the KafkaPrincipal directly and they will have to use the > > >> > > PrincipalType > > >> > > > > > directly, if they are using it as its only one value and use > > the > > >> > name > > >> > > > > from > > >> > > > > > the Principal directly or create a KafkaPrincipal from Java > > >> > Principal > > >> > > > as > > >> > > > > we > > >> > > > > > are doing in SimpleAclAuthorizer with this KIP. > > >> > > > > > > > >> > > > > > Thanks, > > >> > > > > > > > >> > > > > > Mayuresh > > >> > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > On Mon, Feb 27, 2017 at 10:56 AM, Ismael Juma < > > >> ism...@juma.me.uk> > > >> > > > wrote: > > >> > > > > > > > >> > > > > > > Hi Mayuresh, > > >> > > > > > > > > >> > > > > > > Sorry for the delay. The updated KIP states that there is > no > > >> > > > > > compatibility > > >> > > > > > > impact, but that doesn't seem right. The fact that we > > changed > > >> the > > >> > > > type > > >> > > > > of > > >> > > > > > > Session.principal to `Principal` means that any code that > > >> expects > > >> > > it > > >> > > > to > > >> > > > > > be > > >> > > > > > > `KafkaPrincipal` will break. Either because of declared > > types > > >> > > > (likely) > > >> > > > > or > > >> > > > > > > if it accesses `getPrincipalType` (unlikely since the > value > > is > > >> > > always > > >> > > > > the > > >> > > > > > > same). It's a bit annoying, but we should add a new field > to > > >> > > > `Session` > > >> > > > > > with > > >> > > > > > > the original principal. We can potentially deprecate the > > >> existing > > >> > > > one, > > >> > > > > if > > >> > > > > > > we're sure we don't need it (or we can leave it for now). > > >> > > > > > > > > >> > > > > > > Ismael > > >> > > > > > > > > >> > > > > > > On Mon, Feb 27, 2017 at 6:40 PM, Mayuresh Gharat < > > >> > > > > > > gharatmayures...@gmail.com > > >> > > > > > > > wrote: > > >> > > > > > > > > >> > > > > > > > Hi Ismael, Joel, Becket > > >> > > > > > > > > > >> > > > > > > > Would you mind taking a look at this. We require 2 more > > >> binding > > >> > > > votes > > >> > > > > > for > > >> > > > > > > > the KIP to pass. > > >> > > > > > > > > > >> > > > > > > > Thanks, > > >> > > > > > > > > > >> > > > > > > > Mayuresh > > >> > > > > > > > > > >> > > > > > > > On Thu, Feb 23, 2017 at 10:57 AM, Dong Lin < > > >> > lindon...@gmail.com> > > >> > > > > > wrote: > > >> > > > > > > > > > >> > > > > > > > > +1 (non-binding) > > >> > > > > > > > > > > >> > > > > > > > > On Wed, Feb 22, 2017 at 10:52 PM, Manikumar < > > >> > > > > > manikumar.re...@gmail.com > > >> > > > > > > > > > >> > > > > > > > > wrote: > > >> > > > > > > > > > > >> > > > > > > > > > +1 (non-binding) > > >> > > > > > > > > > > > >> > > > > > > > > > On Thu, Feb 23, 2017 at 3:27 AM, Mayuresh Gharat < > > >> > > > > > > > > > gharatmayures...@gmail.com > > >> > > > > > > > > > > wrote: > > >> > > > > > > > > > > > >> > > > > > > > > > > Hi Jun, > > >> > > > > > > > > > > > > >> > > > > > > > > > > Thanks a lot for the comments and reviews. > > >> > > > > > > > > > > I agree we should log the username. > > >> > > > > > > > > > > What I meant by creating KafkaPrincipal was, after > > >> this > > >> > KIP > > >> > > > we > > >> > > > > > > would > > >> > > > > > > > > not > > >> > > > > > > > > > be > > >> > > > > > > > > > > required to create KafkaPrincipal and if we want > to > > >> > > maintain > > >> > > > > the > > >> > > > > > > old > > >> > > > > > > > > > > logging, we will have to create it as we do today. > > >> > > > > > > > > > > I will take care that we specify the Principal > name > > in > > >> > the > > >> > > > log. > > >> > > > > > > > > > > > > >> > > > > > > > > > > Thanks again for all the reviews. > > >> > > > > > > > > > > > > >> > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > >> > > > > > > > > > > On Wed, Feb 22, 2017 at 1:45 PM, Jun Rao < > > >> > j...@confluent.io > > >> > > > > > >> > > > > > wrote: > > >> > > > > > > > > > > > > >> > > > > > > > > > > > Hi, Mayuresh, > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > For logging the user name, we could do either > way. > > >> We > > >> > > just > > >> > > > > need > > >> > > > > > > to > > >> > > > > > > > > make > > >> > > > > > > > > > > > sure the expected user name is logged. Also, > > >> currently, > > >> > > we > > >> > > > > are > > >> > > > > > > > > already > > >> > > > > > > > > > > > creating a KafkaPrincipal on every request. +1 > on > > >> the > > >> > > > latest > > >> > > > > > KIP. > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > Jun > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > On Tue, Feb 21, 2017 at 8:05 PM, Mayuresh > Gharat < > > >> > > > > > > > > > > > gharatmayures...@gmail.com > > >> > > > > > > > > > > > > wrote: > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > Hi Jun, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks for the comments. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > I will mention in the KIP : how this change > > >> doesn't > > >> > > > affect > > >> > > > > > the > > >> > > > > > > > > > default > > >> > > > > > > > > > > > > authorizer implementation. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Regarding, Currently, we log the principal > name > > in > > >> > the > > >> > > > > > request > > >> > > > > > > > log > > >> > > > > > > > > in > > >> > > > > > > > > > > > > RequestChannel, which has the format of > > >> > "principalType > > >> > > + > > >> > > > > > > > SEPARATOR > > >> > > > > > > > > + > > >> > > > > > > > > > > > > name;". > > >> > > > > > > > > > > > > It would be good if we can keep the same > > >> convention > > >> > > after > > >> > > > > > this > > >> > > > > > > > KIP. > > >> > > > > > > > > > One > > >> > > > > > > > > > > > way > > >> > > > > > > > > > > > > to do that is to convert > java.security.Principal > > >> to > > >> > > > > > > > KafkaPrincipal > > >> > > > > > > > > > for > > >> > > > > > > > > > > > > logging the requests. > > >> > > > > > > > > > > > > --- > This would mean we have to create a new > > >> > > > > KafkaPrincipal > > >> > > > > > on > > >> > > > > > > > > each > > >> > > > > > > > > > > > > request. Would it be OK to just specify the > name > > >> of > > >> > the > > >> > > > > > > > principal. > > >> > > > > > > > > > > > > Is there any major reason, we don't want to > > change > > >> > the > > >> > > > > > logging > > >> > > > > > > > > > format? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > On Mon, Feb 20, 2017 at 10:18 PM, Jun Rao < > > >> > > > > j...@confluent.io> > > >> > > > > > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Hi, Mayuresh, > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks for the updated KIP. A couple of more > > >> > > comments. > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 1. Do we convert java.security.Principal to > > >> > > > > KafkaPrincipal > > >> > > > > > > for > > >> > > > > > > > > > > > > > authorization check in SimpleAclAuthorizer? > If > > >> so, > > >> > it > > >> > > > > would > > >> > > > > > > be > > >> > > > > > > > > > useful > > >> > > > > > > > > > > > to > > >> > > > > > > > > > > > > > mention that in the wiki so that people can > > >> > > understand > > >> > > > > how > > >> > > > > > > this > > >> > > > > > > > > > > change > > >> > > > > > > > > > > > > > doesn't affect the default authorizer > > >> > implementation. > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 2. Currently, we log the principal name in > the > > >> > > request > > >> > > > > log > > >> > > > > > in > > >> > > > > > > > > > > > > > RequestChannel, which has the format of > > >> > > "principalType > > >> > > > + > > >> > > > > > > > > SEPARATOR > > >> > > > > > > > > > + > > >> > > > > > > > > > > > > > name;". > > >> > > > > > > > > > > > > > It would be good if we can keep the same > > >> convention > > >> > > > after > > >> > > > > > > this > > >> > > > > > > > > KIP. > > >> > > > > > > > > > > One > > >> > > > > > > > > > > > > way > > >> > > > > > > > > > > > > > to do that is to convert > > >> java.security.Principal to > > >> > > > > > > > > KafkaPrincipal > > >> > > > > > > > > > > for > > >> > > > > > > > > > > > > > logging the requests. > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Jun > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 5:35 PM, Mayuresh > > >> Gharat < > > >> > > > > > > > > > > > > > gharatmayures...@gmail.com > > >> > > > > > > > > > > > > > > wrote: > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Hi Jun, > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > I have updated the KIP. Would you mind > > taking > > >> > > another > > >> > > > > > look? > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 4:42 PM, Mayuresh > > >> Gharat > > >> > < > > >> > > > > > > > > > > > > > > gharatmayures...@gmail.com > > >> > > > > > > > > > > > > > > > wrote: > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > Hi Jun, > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > Sure sounds good to me. > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > On Fri, Feb 17, 2017 at 1:54 PM, Jun > Rao < > > >> > > > > > > j...@confluent.io > > >> > > > > > > > > > > >> > > > > > > > > > > wrote: > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> Hi, Mani, > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> Good point on using PrincipalBuilder > for > > >> SASL. > > >> > > It > > >> > > > > > seems > > >> > > > > > > > that > > >> > > > > > > > > > > > > > > >> PrincipalBuilder already has access to > > >> > > > > Authenticator. > > >> > > > > > > So, > > >> > > > > > > > we > > >> > > > > > > > > > > could > > >> > > > > > > > > > > > > > just > > >> > > > > > > > > > > > > > > >> enable that in SaslChannelBuilder. We > > >> probably > > >> > > > could > > >> > > > > > do > > >> > > > > > > > that > > >> > > > > > > > > > in > > >> > > > > > > > > > > a > > >> > > > > > > > > > > > > > > separate > > >> > > > > > > > > > > > > > > >> KIP? > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> Hi, Mayuresh, > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> If you don't think there is a concrete > > use > > >> > case > > >> > > > for > > >> > > > > > > using > > >> > > > > > > > > > > > > > > >> PrincipalBuilder in > > >> > > > > > > > > > > > > > > >> kafka-acls.sh, perhaps we could do the > > >> simpler > > >> > > > > > approach > > >> > > > > > > > for > > >> > > > > > > > > > now? > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> Thanks, > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> Jun > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> On Fri, Feb 17, 2017 at 12:23 PM, > > Mayuresh > > >> > > Gharat > > >> > > > < > > >> > > > > > > > > > > > > > > >> gharatmayures...@gmail.com> wrote: > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > >> > @Manikumar, > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > Can you give an example how you are > > >> planning > > >> > > to > > >> > > > > use > > >> > > > > > > > > > > > > > PrincipalBuilder? > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > @Jun > > >> > > > > > > > > > > > > > > >> > Yes, that is right. To give a brief > > >> > overview, > > >> > > we > > >> > > > > > just > > >> > > > > > > > > > extract > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > cert > > >> > > > > > > > > > > > > > > >> and > > >> > > > > > > > > > > > > > > >> > hand it over to a third party library > > for > > >> > > > > creating a > > >> > > > > > > > > > > Principal. > > >> > > > > > > > > > > > So > > >> > > > > > > > > > > > > > we > > >> > > > > > > > > > > > > > > >> > cannot create a Principal from just a > > >> > string. > > >> > > > > > > > > > > > > > > >> > The main motive behind adding the > > >> > > > PrincipalBuilder > > >> > > > > > for > > >> > > > > > > > > > > > > kafk-acls.sh > > >> > > > > > > > > > > > > > > was > > >> > > > > > > > > > > > > > > >> > that someone else (who can generate a > > >> > > Principal > > >> > > > > from > > >> > > > > > > map > > >> > > > > > > > > of > > >> > > > > > > > > > > > > > propertie, > > >> > > > > > > > > > > > > > > >> > <String, String> for example) can use > > it. > > >> > > > > > > > > > > > > > > >> > As I said, Linkedin is fine with not > > >> making > > >> > > any > > >> > > > > > > changes > > >> > > > > > > > to > > >> > > > > > > > > > > > > > > Kafka-acls.sh > > >> > > > > > > > > > > > > > > >> > for now. But we thought that it would > > be > > >> a > > >> > > good > > >> > > > > > > > > improvement > > >> > > > > > > > > > to > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > tool > > >> > > > > > > > > > > > > > > >> and > > >> > > > > > > > > > > > > > > >> > it makes it more flexible and usable. > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > Let us know your thoughts, if you > would > > >> like > > >> > > us > > >> > > > to > > >> > > > > > > make > > >> > > > > > > > > > > > > > kafka-acls.sh > > >> > > > > > > > > > > > > > > >> more > > >> > > > > > > > > > > > > > > >> > flexible and usable and not limited > to > > >> > > > Authorizer > > >> > > > > > > coming > > >> > > > > > > > > out > > >> > > > > > > > > > > of > > >> > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > box. > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > Thanks, > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > Mayuresh > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > On Thu, Feb 16, 2017 at 10:18 PM, > > >> Manikumar > > >> > < > > >> > > > > > > > > > > > > > > manikumar.re...@gmail.com> > > >> > > > > > > > > > > > > > > >> > wrote: > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > > Hi Jun, > > >> > > > > > > > > > > > > > > >> > > > > >> > > > > > > > > > > > > > > >> > > yes, we can just customize rules to > > >> send > > >> > > full > > >> > > > > > > > principal > > >> > > > > > > > > > > > name. I > > >> > > > > > > > > > > > > > was > > >> > > > > > > > > > > > > > > >> > > just thinking to > > >> > > > > > > > > > > > > > > >> > > use PrinciplaBuilder interface for > > >> > > > implementing > > >> > > > > > SASL > > >> > > > > > > > > rules > > >> > > > > > > > > > > > also. > > >> > > > > > > > > > > > > > So > > >> > > > > > > > > > > > > > > >> that > > >> > > > > > > > > > > > > > > >> > > the interface > > >> > > > > > > > > > > > > > > >> > > will be consistent across > protocols. > > >> > > > > > > > > > > > > > > >> > > > > >> > > > > > > > > > > > > > > >> > > Thanks > > >> > > > > > > > > > > > > > > >> > > > > >> > > > > > > > > > > > > > > >> > > On Fri, Feb 17, 2017 at 1:07 AM, > Jun > > >> Rao < > > >> > > > > > > > > > j...@confluent.io> > > >> > > > > > > > > > > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > >> > > > > > > > > > > > > > > >> > > > Hi, Radai, Mayuresh, > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > Thanks for the explanation. Good > > >> point > > >> > on > > >> > > a > > >> > > > > > > > pluggable > > >> > > > > > > > > > > > > authorizer > > >> > > > > > > > > > > > > > > can > > >> > > > > > > > > > > > > > > >> > > > customize how acls are added. > > >> However, > > >> > > > > earlier, > > >> > > > > > > > > Mayuresh > > >> > > > > > > > > > > was > > >> > > > > > > > > > > > > > > saying > > >> > > > > > > > > > > > > > > >> > that > > >> > > > > > > > > > > > > > > >> > > in > > >> > > > > > > > > > > > > > > >> > > > LinkedIn's customized authorizer, > > >> it's > > >> > not > > >> > > > > > > possible > > >> > > > > > > > to > > >> > > > > > > > > > > > create > > >> > > > > > > > > > > > > a > > >> > > > > > > > > > > > > > > >> > principal > > >> > > > > > > > > > > > > > > >> > > > from string. If that's the case, > > will > > >> > > adding > > >> > > > > the > > >> > > > > > > > > > principal > > >> > > > > > > > > > > > > > builder > > >> > > > > > > > > > > > > > > >> in > > >> > > > > > > > > > > > > > > >> > > > kafka-acl.sh help? If the > principal > > >> can > > >> > be > > >> > > > > > > > constructed > > >> > > > > > > > > > > from > > >> > > > > > > > > > > > a > > >> > > > > > > > > > > > > > > >> string, > > >> > > > > > > > > > > > > > > >> > > > wouldn't it be simpler to just > let > > >> > > > > kafka-acl.sh > > >> > > > > > do > > >> > > > > > > > > > > > > authorization > > >> > > > > > > > > > > > > > > >> based > > >> > > > > > > > > > > > > > > >> > on > > >> > > > > > > > > > > > > > > >> > > > that string name and not be aware > > of > > >> the > > >> > > > > > principal > > >> > > > > > > > > > > builder? > > >> > > > > > > > > > > > If > > >> > > > > > > > > > > > > > you > > >> > > > > > > > > > > > > > > >> > still > > >> > > > > > > > > > > > > > > >> > > > think there is a need, perhaps > you > > >> can > > >> > > add a > > >> > > > > > more > > >> > > > > > > > > > concrete > > >> > > > > > > > > > > > use > > >> > > > > > > > > > > > > > > case > > >> > > > > > > > > > > > > > > >> > that > > >> > > > > > > > > > > > > > > >> > > > can't be done otherwise? > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > Hi, Mani, > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > For SASL, if the authorizer needs > > the > > >> > full > > >> > > > > > > kerberos > > >> > > > > > > > > > > > principal > > >> > > > > > > > > > > > > > > name, > > >> > > > > > > > > > > > > > > >> > > > currently, the user can just > > >> customize " > > >> > > > > > > > > > > > > > > sasl.kerberos.principal.to. > > >> > > > > > > > > > > > > > > >> > > > local.rules" > > >> > > > > > > > > > > > > > > >> > > > to return the full principal name > > as > > >> the > > >> > > > name > > >> > > > > > for > > >> > > > > > > > > > > > > authorization, > > >> > > > > > > > > > > > > > > >> right? > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > Jun > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > On Wed, Feb 15, 2017 at 10:25 AM, > > >> > Mayuresh > > >> > > > > > Gharat > > >> > > > > > > < > > >> > > > > > > > > > > > > > > >> > > > gharatmayures...@gmail.com> > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > > @Jun thanks for the > > comments.Please > > >> > see > > >> > > > the > > >> > > > > > > > replies > > >> > > > > > > > > > > > inline. > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > Currently kafka-acl.sh just > > >> creates an > > >> > > ACL > > >> > > > > > path > > >> > > > > > > in > > >> > > > > > > > > ZK > > >> > > > > > > > > > > with > > >> > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > principal > > >> > > > > > > > > > > > > > > >> > > > > name string. > > >> > > > > > > > > > > > > > > >> > > > > ----> Yes, the kafka-acl.sh > calls > > >> the > > >> > > > > addAcl() > > >> > > > > > > on > > >> > > > > > > > > the > > >> > > > > > > > > > > > > inbuilt > > >> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer which in > turn > > >> > > creates > > >> > > > an > > >> > > > > > ACL > > >> > > > > > > > in > > >> > > > > > > > > ZK > > >> > > > > > > > > > > > with > > >> > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > Principal > > >> > > > > > > > > > > > > > > >> > > > > name string. This is because we > > >> supply > > >> > > the > > >> > > > > > > > > > > > > SimpleAclAuthorizer > > >> > > > > > > > > > > > > > > as > > >> > > > > > > > > > > > > > > >> a > > >> > > > > > > > > > > > > > > >> > > > > commandline argument in the > > >> > > Kafka-acls.sh > > >> > > > > > > command. > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > The authorizer module in the > > broker > > >> > > reads > > >> > > > > the > > >> > > > > > > > > > principal > > >> > > > > > > > > > > > name > > >> > > > > > > > > > > > > > > >> > > > > string from the acl path in ZK > > and > > >> > > creates > > >> > > > > the > > >> > > > > > > > > > expected > > >> > > > > > > > > > > > > > > >> > KafkaPrincipal > > >> > > > > > > > > > > > > > > >> > > > for > > >> > > > > > > > > > > > > > > >> > > > > matching. As you can see, the > > >> expected > > >> > > > > > principal > > >> > > > > > > > is > > >> > > > > > > > > > > > created > > >> > > > > > > > > > > > > on > > >> > > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > broker > > >> > > > > > > > > > > > > > > >> > > > > side, not by the kafka-acl.sh > > tool. > > >> > > > > > > > > > > > > > > >> > > > > ----> This is considering the > > fact > > >> > that > > >> > > > the > > >> > > > > > user > > >> > > > > > > > is > > >> > > > > > > > > > > using > > >> > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer on the > broker > > >> side > > >> > > and > > >> > > > > not > > >> > > > > > > his > > >> > > > > > > > > own > > >> > > > > > > > > > > > > custom > > >> > > > > > > > > > > > > > > >> > > Authorizer. > > >> > > > > > > > > > > > > > > >> > > > > The SimpleAclAuthorizer will > take > > >> the > > >> > > > > > Principal > > >> > > > > > > it > > >> > > > > > > > > > gets > > >> > > > > > > > > > > > from > > >> > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > Session > > >> > > > > > > > > > > > > > > >> > > > > class . Currently the Principal > > is > > >> > > > > > > KafkaPrincipal. > > >> > > > > > > > > > This > > >> > > > > > > > > > > > > > > >> > KafkaPrincipal > > >> > > > > > > > > > > > > > > >> > > is > > >> > > > > > > > > > > > > > > >> > > > > generated from the name of the > > >> actual > > >> > > > > channel > > >> > > > > > > > > > Principal, > > >> > > > > > > > > > > > in > > >> > > > > > > > > > > > > > > >> > > SocketServer > > >> > > > > > > > > > > > > > > >> > > > > class when processing completed > > >> > > receives. > > >> > > > > > > > > > > > > > > >> > > > > With this KIP, this will no > > longer > > >> be > > >> > > the > > >> > > > > case > > >> > > > > > > as > > >> > > > > > > > > the > > >> > > > > > > > > > > > > Session > > >> > > > > > > > > > > > > > > >> class > > >> > > > > > > > > > > > > > > >> > > will > > >> > > > > > > > > > > > > > > >> > > > > store a java.security.Principal > > >> > instead > > >> > > of > > >> > > > > > > > specific > > >> > > > > > > > > > > > > > > >> KafkaPrincipal. > > >> > > > > > > > > > > > > > > >> > So > > >> > > > > > > > > > > > > > > >> > > > the > > >> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer will > > construct > > >> the > > >> > > > > > > > > KafkaPrincipal > > >> > > > > > > > > > > from > > >> > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > channel > > >> > > > > > > > > > > > > > > >> > > > > Principal it gets from the > > Session > > >> > > class. > > >> > > > > > > > > > > > > > > >> > > > > User might not want to use the > > >> > > > > > > SimpleAclAuthorizer > > >> > > > > > > > > but > > >> > > > > > > > > > > use > > >> > > > > > > > > > > > > > > his/her > > >> > > > > > > > > > > > > > > >> > own > > >> > > > > > > > > > > > > > > >> > > > > custom Authorizer. > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > The broker already has the > > ability > > >> to > > >> > > > > > > > > > > > > > > >> > > > > configure PrincipalBuilder. > > That's > > >> > why I > > >> > > > am > > >> > > > > > not > > >> > > > > > > > sure > > >> > > > > > > > > > if > > >> > > > > > > > > > > > > there > > >> > > > > > > > > > > > > > > is a > > >> > > > > > > > > > > > > > > >> > need > > >> > > > > > > > > > > > > > > >> > > > for > > >> > > > > > > > > > > > > > > >> > > > > kafka-acl.sh to customize > > >> > > > PrincipalBuilder. > > >> > > > > > > > > > > > > > > >> > > > > ----> This is exactly the > reason > > >> why > > >> > we > > >> > > > want > > >> > > > > > to > > >> > > > > > > > > > propose > > >> > > > > > > > > > > a > > >> > > > > > > > > > > > > > > >> > > > PrincipalBuilder > > >> > > > > > > > > > > > > > > >> > > > > in kafka-acls.sh so that the > > >> Principal > > >> > > > > > generated > > >> > > > > > > > by > > >> > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > PrincipalBuilder > > >> > > > > > > > > > > > > > > >> > > > on > > >> > > > > > > > > > > > > > > >> > > > > broker is consistent with that > > >> > generated > > >> > > > > while > > >> > > > > > > > > > creating > > >> > > > > > > > > > > > ACLs > > >> > > > > > > > > > > > > > > using > > >> > > > > > > > > > > > > > > >> > the > > >> > > > > > > > > > > > > > > >> > > > > kafka-acls.sh command line > tool. > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > *To summarize the above > > >> discussions :* > > >> > > > > > > > > > > > > > > >> > > > > What if we only make the > > following > > >> > > > changes: > > >> > > > > > pass > > >> > > > > > > > the > > >> > > > > > > > > > > java > > >> > > > > > > > > > > > > > > >> principal > > >> > > > > > > > > > > > > > > >> > in > > >> > > > > > > > > > > > > > > >> > > > > session and in > > >> > > > > > > > > > > > > > > >> > > > > SimpleAuthorizer, construct > > >> > > KafkaPrincipal > > >> > > > > > from > > >> > > > > > > > java > > >> > > > > > > > > > > > > principal > > >> > > > > > > > > > > > > > > >> name. > > >> > > > > > > > > > > > > > > >> > > Will > > >> > > > > > > > > > > > > > > >> > > > > that work for LinkedIn? > > >> > > > > > > > > > > > > > > >> > > > > ------> Yes, this works for > > >> Linkedin > > >> > as > > >> > > we > > >> > > > > are > > >> > > > > > > not > > >> > > > > > > > > > using > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > kafka-acls.sh > > >> > > > > > > > > > > > > > > >> > > > > tool to create/update/add ACLs, > > for > > >> > now. > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > Do you think there is a use > case > > >> for a > > >> > > > > > > customized > > >> > > > > > > > > > > > authorizer > > >> > > > > > > > > > > > > > and > > >> > > > > > > > > > > > > > > >> > > > kafka-acl > > >> > > > > > > > > > > > > > > >> > > > > at the > > >> > > > > > > > > > > > > > > >> > > > > same time? If not, it's better > > not > > >> to > > >> > > > > > complicate > > >> > > > > > > > the > > >> > > > > > > > > > > > > kafka-acl > > >> > > > > > > > > > > > > > > >> api. > > >> > > > > > > > > > > > > > > >> > > > > -----> At Linkedin, we don't > use > > >> this > > >> > > tool > > >> > > > > for > > >> > > > > > > > now. > > >> > > > > > > > > So > > >> > > > > > > > > > > we > > >> > > > > > > > > > > > > are > > >> > > > > > > > > > > > > > > fine > > >> > > > > > > > > > > > > > > >> > with > > >> > > > > > > > > > > > > > > >> > > > the > > >> > > > > > > > > > > > > > > >> > > > > minimal change for now. > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > Initially, our change was > > minimal, > > >> > just > > >> > > > > > getting > > >> > > > > > > > the > > >> > > > > > > > > > > Kafka > > >> > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> preserve > > >> > > > > > > > > > > > > > > >> > > the > > >> > > > > > > > > > > > > > > >> > > > > channel principal. Since there > > was > > >> a > > >> > > > > > discussion > > >> > > > > > > > how > > >> > > > > > > > > > > > > > > kafka-acls.sh > > >> > > > > > > > > > > > > > > >> > would > > >> > > > > > > > > > > > > > > >> > > > > work with this change, on the > > >> ticket, > > >> > we > > >> > > > > > > designed > > >> > > > > > > > a > > >> > > > > > > > > > > > detailed > > >> > > > > > > > > > > > > > > >> solution > > >> > > > > > > > > > > > > > > >> > > to > > >> > > > > > > > > > > > > > > >> > > > > make this tool generally usable > > >> with > > >> > all > > >> > > > > sorts > > >> > > > > > > of > > >> > > > > > > > > > > > > combinations > > >> > > > > > > > > > > > > > > of > > >> > > > > > > > > > > > > > > >> > > > > Authorizers and > PrincipalBuilders > > >> and > > >> > > give > > >> > > > > > more > > >> > > > > > > > > > > > flexibility > > >> > > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > end > > >> > > > > > > > > > > > > > > >> > > > > users. > > >> > > > > > > > > > > > > > > >> > > > > Without the changes proposed > for > > >> > > > > kafka-acls.sh > > >> > > > > > > in > > >> > > > > > > > > this > > >> > > > > > > > > > > > KIP, > > >> > > > > > > > > > > > > it > > >> > > > > > > > > > > > > > > >> cannot > > >> > > > > > > > > > > > > > > >> > > be > > >> > > > > > > > > > > > > > > >> > > > > used with a custom > > >> > > > > Authorizer/PrinipalBuilder > > >> > > > > > > but > > >> > > > > > > > > will > > >> > > > > > > > > > > > only > > >> > > > > > > > > > > > > > work > > >> > > > > > > > > > > > > > > >> with > > >> > > > > > > > > > > > > > > >> > > > > SimpleAclAuthorizer. > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > Although, I would actually like > > it > > >> to > > >> > > work > > >> > > > > for > > >> > > > > > > > > general > > >> > > > > > > > > > > > > > scenario, > > >> > > > > > > > > > > > > > > >> I am > > >> > > > > > > > > > > > > > > >> > > > fine > > >> > > > > > > > > > > > > > > >> > > > > with separating it under a > > separate > > >> > KIP > > >> > > > and > > >> > > > > > > limit > > >> > > > > > > > > the > > >> > > > > > > > > > > > scope > > >> > > > > > > > > > > > > of > > >> > > > > > > > > > > > > > > >> this > > >> > > > > > > > > > > > > > > >> > > KIP. > > >> > > > > > > > > > > > > > > >> > > > > I will update the KIP > accordingly > > >> and > > >> > > put > > >> > > > > this > > >> > > > > > > > under > > >> > > > > > > > > > > > > rejected > > >> > > > > > > > > > > > > > > >> > > > alternatives > > >> > > > > > > > > > > > > > > >> > > > > and create a new KIP for the > > >> > > Kafka-acls.sh > > >> > > > > > > > changes. > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > @Manikumar > > >> > > > > > > > > > > > > > > >> > > > > Since we are limiting the scope > > of > > >> > this > > >> > > > KIP > > >> > > > > by > > >> > > > > > > not > > >> > > > > > > > > > > making > > >> > > > > > > > > > > > > any > > >> > > > > > > > > > > > > > > >> changes > > >> > > > > > > > > > > > > > > >> > > to > > >> > > > > > > > > > > > > > > >> > > > > kafka-acls.sh, I will cover > your > > >> > concern > > >> > > > in > > >> > > > > a > > >> > > > > > > > > separate > > >> > > > > > > > > > > KIP > > >> > > > > > > > > > > > > > that > > >> > > > > > > > > > > > > > > I > > >> > > > > > > > > > > > > > > >> > will > > >> > > > > > > > > > > > > > > >> > > > put > > >> > > > > > > > > > > > > > > >> > > > > up for kafka-acls.sh. Does that > > >> work? > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > Mayuresh > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > On Wed, Feb 15, 2017 at 9:18 > AM, > > >> > radai < > > >> > > > > > > > > > > > > > > >> radai.rosenbl...@gmail.com> > > >> > > > > > > > > > > > > > > >> > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > > @jun: > > >> > > > > > > > > > > > > > > >> > > > > > "Currently kafka-acl.sh just > > >> creates > > >> > > an > > >> > > > > ACL > > >> > > > > > > path > > >> > > > > > > > > in > > >> > > > > > > > > > ZK > > >> > > > > > > > > > > > > with > > >> > > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > principal > > >> > > > > > > > > > > > > > > >> > > > > > name string" - yes, but not > > >> > directly. > > >> > > > all > > >> > > > > it > > >> > > > > > > > > > actually > > >> > > > > > > > > > > > does > > >> > > > > > > > > > > > > > it > > >> > > > > > > > > > > > > > > >> > spin-up > > >> > > > > > > > > > > > > > > >> > > > the > > >> > > > > > > > > > > > > > > >> > > > > > Authorizer and call > > >> > > Authorizer.addAcl() > > >> > > > on > > >> > > > > > it. > > >> > > > > > > > > > > > > > > >> > > > > > the vanilla Authorizer goes > to > > >> ZK. > > >> > > > > > > > > > > > > > > >> > > > > > but generally speaking, users > > can > > >> > plug > > >> > > > in > > >> > > > > > > their > > >> > > > > > > > > own > > >> > > > > > > > > > > > > > > Authorizers > > >> > > > > > > > > > > > > > > >> > (that > > >> > > > > > > > > > > > > > > >> > > > can > > >> > > > > > > > > > > > > > > >> > > > > > store/load ACLs to/from > > >> wherever). > > >> > > > > > > > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > it would be nice if users who > > >> > > customize > > >> > > > > > > > > Authorizers > > >> > > > > > > > > > > (and > > >> > > > > > > > > > > > > > > >> > > > > PrincipalBuilders) > > >> > > > > > > > > > > > > > > >> > > > > > did not immediately lose the > > >> ability > > >> > > to > > >> > > > > use > > >> > > > > > > > > > > kafka-acl.sh > > >> > > > > > > > > > > > > > with > > >> > > > > > > > > > > > > > > >> their > > >> > > > > > > > > > > > > > > >> > > new > > >> > > > > > > > > > > > > > > >> > > > > > Authorizers. > > >> > > > > > > > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > On Wed, Feb 15, 2017 at 5:50 > > AM, > > >> > > > > Manikumar < > > >> > > > > > > > > > > > > > > >> > > manikumar.re...@gmail.com> > > >> > > > > > > > > > > > > > > >> > > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > Sorry, I am late to this > > >> > discussion. > > >> > > > > > > > > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > PrincipalBuilder is only > used > > >> for > > >> > > SSL > > >> > > > > > > > Protocol. > > >> > > > > > > > > > > > > > > >> > > > > > > For SASL, we use " > > >> > > > > > > sasl.kerberos.principal.to. > > >> > > > > > > > > > > > > local.rules" > > >> > > > > > > > > > > > > > > >> config > > >> > > > > > > > > > > > > > > >> > > to > > >> > > > > > > > > > > > > > > >> > > > > map > > >> > > > > > > > > > > > > > > >> > > > > > > SASL principal names to > short > > >> > names. > > >> > > > To > > >> > > > > > make > > >> > > > > > > > it > > >> > > > > > > > > > > > > > consistent, > > >> > > > > > > > > > > > > > > >> > > > > > > Do we also need to pass the > > >> SASL > > >> > > full > > >> > > > > > > > principal > > >> > > > > > > > > > name > > >> > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> > authorizer > > >> > > > > > > > > > > > > > > >> > > ? > > >> > > > > > > > > > > > > > > >> > > > > > > We may need to use > > >> > PrincipalBuilder > > >> > > > for > > >> > > > > > > > mapping > > >> > > > > > > > > > SASL > > >> > > > > > > > > > > > > > names. > > >> > > > > > > > > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > Related JIRA is here: > > >> > > > > > > > > > > > > > > >> > > > > > > https://issues.apache.org/ > > >> > > > > > > > > jira/browse/KAFKA-2854 > > >> > > > > > > > > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > On Wed, Feb 15, 2017 at > 7:47 > > >> AM, > > >> > Jun > > >> > > > > Rao < > > >> > > > > > > > > > > > > > j...@confluent.io> > > >> > > > > > > > > > > > > > > >> > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > Hi, Radai, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > Currently kafka-acl.sh > just > > >> > > creates > > >> > > > an > > >> > > > > > ACL > > >> > > > > > > > > path > > >> > > > > > > > > > in > > >> > > > > > > > > > > > ZK > > >> > > > > > > > > > > > > > with > > >> > > > > > > > > > > > > > > >> the > > >> > > > > > > > > > > > > > > >> > > > > > principal > > >> > > > > > > > > > > > > > > >> > > > > > > > name string. The > authorizer > > >> > module > > >> > > > in > > >> > > > > > the > > >> > > > > > > > > broker > > >> > > > > > > > > > > > reads > > >> > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > principal > > >> > > > > > > > > > > > > > > >> > > > > > name > > >> > > > > > > > > > > > > > > >> > > > > > > > string from the acl path > in > > >> ZK > > >> > and > > >> > > > > > creates > > >> > > > > > > > the > > >> > > > > > > > > > > > > expected > > >> > > > > > > > > > > > > > > >> > > > > KafkaPrincipal > > >> > > > > > > > > > > > > > > >> > > > > > > for > > >> > > > > > > > > > > > > > > >> > > > > > > > matching. As you can see, > > the > > >> > > > expected > > >> > > > > > > > > principal > > >> > > > > > > > > > > is > > >> > > > > > > > > > > > > > > created > > >> > > > > > > > > > > > > > > >> on > > >> > > > > > > > > > > > > > > >> > > the > > >> > > > > > > > > > > > > > > >> > > > > > broker > > >> > > > > > > > > > > > > > > >> > > > > > > > side, not by the > > kafka-acl.sh > > >> > > tool. > > >> > > > > The > > >> > > > > > > > broker > > >> > > > > > > > > > > > already > > >> > > > > > > > > > > > > > has > > >> > > > > > > > > > > > > > > >> the > > >> > > > > > > > > > > > > > > >> > > > > ability > > >> > > > > > > > > > > > > > > >> > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > configure > PrincipalBuilder. > > >> > That's > > >> > > > > why I > > >> > > > > > > am > > >> > > > > > > > > not > > >> > > > > > > > > > > sure > > >> > > > > > > > > > > > > if > > >> > > > > > > > > > > > > > > >> there > > >> > > > > > > > > > > > > > > >> > is > > >> > > > > > > > > > > > > > > >> > > a > > >> > > > > > > > > > > > > > > >> > > > > need > > >> > > > > > > > > > > > > > > >> > > > > > > for > > >> > > > > > > > > > > > > > > >> > > > > > > > kafka-acl.sh to customize > > >> > > > > > > PrincipalBuilder. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > Jun > > >> > > > > > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > On Mon, Feb 13, 2017 at > > 7:01 > > >> PM, > > >> > > > > radai < > > >> > > > > > > > > > > > > > > >> > > radai.rosenbl...@gmail.com > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > if i understand > > correctly, > > >> > > > > > kafka-acls.sh > > >> > > > > > > > > spins > > >> > > > > > > > > > > up > > >> > > > > > > > > > > > an > > >> > > > > > > > > > > > > > > >> instance > > >> > > > > > > > > > > > > > > >> > > of > > >> > > > > > > > > > > > > > > >> > > > > (the > > >> > > > > > > > > > > > > > > >> > > > > > > > > custom, in our case) > > >> > Authorizer, > > >> > > > and > > >> > > > > > > calls > > >> > > > > > > > > > > things > > >> > > > > > > > > > > > > like > > >> > > > > > > > > > > > > > > >> > > > > addAcls(acls: > > >> > > > > > > > > > > > > > > >> > > > > > > > > Set[Acl], resource: > > >> Resource) > > >> > on > > >> > > > it, > > >> > > > > > > which > > >> > > > > > > > > are > > >> > > > > > > > > > > > > defined > > >> > > > > > > > > > > > > > > in > > >> > > > > > > > > > > > > > > >> the > > >> > > > > > > > > > > > > > > >> > > > > > > interface, > > >> > > > > > > > > > > > > > > >> > > > > > > > > hence expected to be > > >> > > "extensible". > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > (side note: if > Authorizer > > >> and > > >> > > > > > > > > PrincipalBuilder > > >> > > > > > > > > > > are > > >> > > > > > > > > > > > > > > >> defined as > > >> > > > > > > > > > > > > > > >> > > > > > > extensible > > >> > > > > > > > > > > > > > > >> > > > > > > > > interfaces, why doesnt > > >> class > > >> > > Acl, > > >> > > > > > which > > >> > > > > > > is > > >> > > > > > > > > in > > >> > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> signature > > >> > > > > > > > > > > > > > > >> > for > > >> > > > > > > > > > > > > > > >> > > > > > > > Authorizer > > >> > > > > > > > > > > > > > > >> > > > > > > > > calls, use > > >> > > > java.security.Principal?) > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > we would like to be > able > > to > > >> > use > > >> > > > the > > >> > > > > > > > standard > > >> > > > > > > > > > > > > kafka-acl > > >> > > > > > > > > > > > > > > >> > command > > >> > > > > > > > > > > > > > > >> > > > line > > >> > > > > > > > > > > > > > > >> > > > > > for > > >> > > > > > > > > > > > > > > >> > > > > > > > > defining ACLs even when > > >> > > replacing > > >> > > > > the > > >> > > > > > > > > vanilla > > >> > > > > > > > > > > > > > Authorizer > > >> > > > > > > > > > > > > > > >> and > > >> > > > > > > > > > > > > > > >> > > > > > > > > PrincipalBuilder (even > > >> though > > >> > we > > >> > > > > have > > >> > > > > > a > > >> > > > > > > > > > > management > > >> > > > > > > > > > > > > UI > > >> > > > > > > > > > > > > > > for > > >> > > > > > > > > > > > > > > >> > these > > >> > > > > > > > > > > > > > > >> > > > > > > > operations > > >> > > > > > > > > > > > > > > >> > > > > > > > > within linkedin) - > simply > > >> > > because > > >> > > > > > thats > > >> > > > > > > > the > > >> > > > > > > > > > > > correct > > >> > > > > > > > > > > > > > > thing > > >> > > > > > > > > > > > > > > >> to > > >> > > > > > > > > > > > > > > >> > do > > >> > > > > > > > > > > > > > > >> > > > > from > > >> > > > > > > > > > > > > > > >> > > > > > an > > >> > > > > > > > > > > > > > > >> > > > > > > > > extensibility point of > > >> view. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > On Mon, Feb 13, 2017 at > > >> 1:39 > > >> > PM, > > >> > > > Jun > > >> > > > > > > Rao < > > >> > > > > > > > > > > > > > > >> j...@confluent.io> > > >> > > > > > > > > > > > > > > >> > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > Hi, Mayuresh, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > I seems to me that > > there > > >> are > > >> > > two > > >> > > > > > > common > > >> > > > > > > > > use > > >> > > > > > > > > > > > cases > > >> > > > > > > > > > > > > of > > >> > > > > > > > > > > > > > > >> > > > authorizer. > > >> > > > > > > > > > > > > > > >> > > > > > (1) > > >> > > > > > > > > > > > > > > >> > > > > > > > Use > > >> > > > > > > > > > > > > > > >> > > > > > > > > > the default > > >> SimpleAuthorizer > > >> > > and > > >> > > > > the > > >> > > > > > > > > > kafka-acl > > >> > > > > > > > > > > > to > > >> > > > > > > > > > > > > do > > >> > > > > > > > > > > > > > > >> > > > > authorization. > > >> > > > > > > > > > > > > > > >> > > > > > > (2) > > >> > > > > > > > > > > > > > > >> > > > > > > > > Use > > >> > > > > > > > > > > > > > > >> > > > > > > > > > a customized > authorizer > > >> and > > >> > an > > >> > > > > > > external > > >> > > > > > > > > tool > > >> > > > > > > > > > > for > > >> > > > > > > > > > > > > > > >> > > authorization. > > >> > > > > > > > > > > > > > > >> > > > > Do > > >> > > > > > > > > > > > > > > >> > > > > > > you > > >> > > > > > > > > > > > > > > >> > > > > > > > > > think there is a use > > case > > >> > for > > >> > > a > > >> > > > > > > > customized > > >> > > > > > > > > > > > > > authorizer > > >> > > > > > > > > > > > > > > >> and > > >> > > > > > > > > > > > > > > >> > > > > kafka-acl > > >> > > > > > > > > > > > > > > >> > > > > > > at > > >> > > > > > > > > > > > > > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > same time? If not, > it's > > >> > better > > >> > > > not > > >> > > > > > to > > >> > > > > > > > > > > complicate > > >> > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > kafka-acl > > >> > > > > > > > > > > > > > > >> > > > > api. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > Jun > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > On Mon, Feb 13, 2017 > at > > >> > 10:35 > > >> > > > AM, > > >> > > > > > > > Mayuresh > > >> > > > > > > > > > > > Gharat > > >> > > > > > > > > > > > > < > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> gharatmayures...@gmail.com> > > >> > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Hi Jun, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Thanks for the > review > > >> and > > >> > > > > > comments. > > >> > > > > > > > > Please > > >> > > > > > > > > > > > find > > >> > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > replies > > >> > > > > > > > > > > > > > > >> > > > > > inline > > >> > > > > > > > > > > > > > > >> > > > > > > : > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > This is so that in > > the > > >> > > future, > > >> > > > > we > > >> > > > > > > can > > >> > > > > > > > > > extend > > >> > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > types > > >> > > > > > > > > > > > > > > >> > like > > >> > > > > > > > > > > > > > > >> > > > > group. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > ---> Yep, I did > think > > >> the > > >> > > > same. > > >> > > > > > But > > >> > > > > > > > > since > > >> > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > SocketServer > > >> > > > > > > > > > > > > > > >> > > > was > > >> > > > > > > > > > > > > > > >> > > > > > > always > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > creating User type, > > it > > >> > > wasn't > > >> > > > > > > actually > > >> > > > > > > > > > used. > > >> > > > > > > > > > > > If > > >> > > > > > > > > > > > > we > > >> > > > > > > > > > > > > > > go > > >> > > > > > > > > > > > > > > >> > ahead > > >> > > > > > > > > > > > > > > >> > > > > with > > >> > > > > > > > > > > > > > > >> > > > > > > > > changes > > >> > > > > > > > > > > > > > > >> > > > > > > > > > in > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > this KIP, we will > > give > > >> > this > > >> > > > > power > > >> > > > > > of > > >> > > > > > > > > > > creating > > >> > > > > > > > > > > > > > > >> different > > >> > > > > > > > > > > > > > > >> > > > > Principal > > >> > > > > > > > > > > > > > > >> > > > > > > > types > > >> > > > > > > > > > > > > > > >> > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > the > PrincipalBuilder > > >> > (which > > >> > > > > users > > >> > > > > > > can > > >> > > > > > > > > > define > > >> > > > > > > > > > > > > there > > >> > > > > > > > > > > > > > > >> own). > > >> > > > > > > > > > > > > > > >> > In > > >> > > > > > > > > > > > > > > >> > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > way > > >> > > > > > > > > > > > > > > >> > > > > > > > > > Kafka > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > will not have to > deal > > >> with > > >> > > > > > handling > > >> > > > > > > > > this. > > >> > > > > > > > > > So > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > Principal > > >> > > > > > > > > > > > > > > >> > > > > > building > > >> > > > > > > > > > > > > > > >> > > > > > > > and > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Authorization will > be > > >> > opaque > > >> > > > to > > >> > > > > > > Kafka > > >> > > > > > > > > > which > > >> > > > > > > > > > > > > seems > > >> > > > > > > > > > > > > > > >> like an > > >> > > > > > > > > > > > > > > >> > > > > > expected > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > behavior. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Hmm, normally, the > > >> > > > > configurations > > >> > > > > > > you > > >> > > > > > > > > > > specify > > >> > > > > > > > > > > > > for > > >> > > > > > > > > > > > > > > >> > plug-ins > > >> > > > > > > > > > > > > > > >> > > > > refer > > >> > > > > > > > > > > > > > > >> > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > those > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > needed to construct > > the > > >> > > > plug-in > > >> > > > > > > > object. > > >> > > > > > > > > > So, > > >> > > > > > > > > > > > it's > > >> > > > > > > > > > > > > > > kind > > >> > > > > > > > > > > > > > > >> of > > >> > > > > > > > > > > > > > > >> > > > weird > > >> > > > > > > > > > > > > > > >> > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > use > > >> > > > > > > > > > > > > > > >> > > > > > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > to call a method. > For > > >> > > example, > > >> > > > > why > > >> > > > > > > > can't > > >> > > > > > > > > > > > > > > >> > > > > > > > > > principalBuilderService.rest. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > url > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > be passed in > through > > >> the > > >> > > > > > configure() > > >> > > > > > > > > > method > > >> > > > > > > > > > > > and > > >> > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > implementation > > >> > > > > > > > > > > > > > > >> > > > > > > > can > > >> > > > > > > > > > > > > > > >> > > > > > > > > > use > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > that to build > > >> principal. > > >> > > This > > >> > > > > way, > > >> > > > > > > > there > > >> > > > > > > > > > is > > >> > > > > > > > > > > > > only a > > >> > > > > > > > > > > > > > > >> single > > >> > > > > > > > > > > > > > > >> > > > > method > > >> > > > > > > > > > > > > > > >> > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > > compute > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > the principal in a > > >> > > consistent > > >> > > > > way > > >> > > > > > in > > >> > > > > > > > the > > >> > > > > > > > > > > > broker > > >> > > > > > > > > > > > > > and > > >> > > > > > > > > > > > > > > in > > >> > > > > > > > > > > > > > > >> > the > > >> > > > > > > > > > > > > > > >> > > > > > > kafka-acl > > >> > > > > > > > > > > > > > > >> > > > > > > > > > tool. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> We can do > that > > as > > >> > > well. > > >> > > > > But > > >> > > > > > > > since > > >> > > > > > > > > > the > > >> > > > > > > > > > > > rest > > >> > > > > > > > > > > > > > url > > >> > > > > > > > > > > > > > > >> is > > >> > > > > > > > > > > > > > > >> > not > > >> > > > > > > > > > > > > > > >> > > > > > related > > >> > > > > > > > > > > > > > > >> > > > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Principal, it seems > > >> out of > > >> > > > place > > >> > > > > > to > > >> > > > > > > me > > >> > > > > > > > > to > > >> > > > > > > > > > > pass > > >> > > > > > > > > > > > > it > > >> > > > > > > > > > > > > > > >> every > > >> > > > > > > > > > > > > > > >> > > time > > >> > > > > > > > > > > > > > > >> > > > we > > >> > > > > > > > > > > > > > > >> > > > > > > have > > >> > > > > > > > > > > > > > > >> > > > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > create a > Principal. I > > >> > should > > >> > > > > > replace > > >> > > > > > > > > > > > > > > >> "principalConfigs" > > >> > > > > > > > > > > > > > > >> > > with > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > "principalProperties". > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > I was trying to > > >> > > differentiate > > >> > > > > the > > >> > > > > > > > > > > > > > configs/properties > > >> > > > > > > > > > > > > > > >> that > > >> > > > > > > > > > > > > > > >> > > are > > >> > > > > > > > > > > > > > > >> > > > > > used > > >> > > > > > > > > > > > > > > >> > > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > create the > > >> > PrincipalBuilder > > >> > > > > class > > >> > > > > > > and > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > Principal/Principals > > >> > > > > > > > > > > > > > > >> > > > > > > > itself. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > For LinkedIn's use > > >> case, > > >> > do > > >> > > > you > > >> > > > > > > > actually > > >> > > > > > > > > > use > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > kafka-acl > > >> > > > > > > > > > > > > > > >> > > > > tool? > > >> > > > > > > > > > > > > > > >> > > > > > My > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > understanding is > that > > >> > > LinkedIn > > >> > > > > > does > > >> > > > > > > > > > > > > authorization > > >> > > > > > > > > > > > > > > >> through > > >> > > > > > > > > > > > > > > >> > > an > > >> > > > > > > > > > > > > > > >> > > > > > > external > > >> > > > > > > > > > > > > > > >> > > > > > > > > > tool. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> For > Linkedin's > > >> use > > >> > > case > > >> > > > we > > >> > > > > > > don't > > >> > > > > > > > > > > > actually > > >> > > > > > > > > > > > > > use > > >> > > > > > > > > > > > > > > >> the > > >> > > > > > > > > > > > > > > >> > > > > kafka-acl > > >> > > > > > > > > > > > > > > >> > > > > > > > tool > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > right now. As per > the > > >> > > > discussion > > >> > > > > > > that > > >> > > > > > > > we > > >> > > > > > > > > > had > > >> > > > > > > > > > > > on > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > https://issues.apache.org/ > > >> > > > > > > > > > > > > jira/browse/KAFKA-4454, > > >> > > > > > > > > > > > > > > we > > >> > > > > > > > > > > > > > > >> > > thought > > >> > > > > > > > > > > > > > > >> > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > it > > >> > > > > > > > > > > > > > > >> > > > > > > > > > would > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > be good to make > > >> kafka-acl > > >> > > tool > > >> > > > > > > > changes, > > >> > > > > > > > > to > > >> > > > > > > > > > > > make > > >> > > > > > > > > > > > > it > > >> > > > > > > > > > > > > > > >> > flexible > > >> > > > > > > > > > > > > > > >> > > > and > > >> > > > > > > > > > > > > > > >> > > > > > we > > >> > > > > > > > > > > > > > > >> > > > > > > > > might > > >> > > > > > > > > > > > > > > >> > > > > > > > > > be > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > even able to use it > > in > > >> > > future. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > It seems it's > simpler > > >> if > > >> > > > > kafka-acl > > >> > > > > > > > > doesn't > > >> > > > > > > > > > > to > > >> > > > > > > > > > > > > need > > >> > > > > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > understand > > >> > > > > > > > > > > > > > > >> > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > principal builder. > > The > > >> > tool > > >> > > > does > > >> > > > > > > > > > > authorization > > >> > > > > > > > > > > > > > based > > >> > > > > > > > > > > > > > > >> on a > > >> > > > > > > > > > > > > > > >> > > > > string > > >> > > > > > > > > > > > > > > >> > > > > > > > name, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > which is expected > to > > >> match > > >> > > the > > >> > > > > > > > principal > > >> > > > > > > > > > > name. > > >> > > > > > > > > > > > > > So, I > > >> > > > > > > > > > > > > > > >> am > > >> > > > > > > > > > > > > > > >> > > > > wondering > > >> > > > > > > > > > > > > > > >> > > > > > > why > > >> > > > > > > > > > > > > > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > tool needs to know > > the > > >> > > > principal > > >> > > > > > > > > builder. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> If we don't > > make > > >> > this > > >> > > > > > change, > > >> > > > > > > I > > >> > > > > > > > am > > >> > > > > > > > > > not > > >> > > > > > > > > > > > > sure > > >> > > > > > > > > > > > > > > how > > >> > > > > > > > > > > > > > > >> > > > > clients/end > > >> > > > > > > > > > > > > > > >> > > > > > > > users > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > will be able to use > > >> this > > >> > > tool > > >> > > > if > > >> > > > > > > they > > >> > > > > > > > > have > > >> > > > > > > > > > > > there > > >> > > > > > > > > > > > > > own > > >> > > > > > > > > > > > > > > >> > > > Authorizer > > >> > > > > > > > > > > > > > > >> > > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > > > does > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Authorization based > > on > > >> > > > > Principal, > > >> > > > > > > that > > >> > > > > > > > > has > > >> > > > > > > > > > > > more > > >> > > > > > > > > > > > > > > >> > information > > >> > > > > > > > > > > > > > > >> > > > > apart > > >> > > > > > > > > > > > > > > >> > > > > > > > from > > >> > > > > > > > > > > > > > > >> > > > > > > > > > name > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > and type. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > What if we only > make > > >> the > > >> > > > > following > > >> > > > > > > > > > changes: > > >> > > > > > > > > > > > pass > > >> > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> java > > >> > > > > > > > > > > > > > > >> > > > > > principal > > >> > > > > > > > > > > > > > > >> > > > > > > > in > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > session and in > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > SimpleAuthorizer, > > >> > construct > > >> > > > > > > > > KafkaPrincipal > > >> > > > > > > > > > > > from > > >> > > > > > > > > > > > > > java > > >> > > > > > > > > > > > > > > >> > > > principal > > >> > > > > > > > > > > > > > > >> > > > > > > name. > > >> > > > > > > > > > > > > > > >> > > > > > > > > Will > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > that work for > > LinkedIn? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > ----> This can work > > for > > >> > > > Linkedin > > >> > > > > > but > > >> > > > > > > > as > > >> > > > > > > > > > > > > explained > > >> > > > > > > > > > > > > > > >> above, > > >> > > > > > > > > > > > > > > >> > it > > >> > > > > > > > > > > > > > > >> > > > > does > > >> > > > > > > > > > > > > > > >> > > > > > > not > > >> > > > > > > > > > > > > > > >> > > > > > > > > seem > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > like a complete > > design > > >> > from > > >> > > > open > > >> > > > > > > > source > > >> > > > > > > > > > > point > > >> > > > > > > > > > > > of > > >> > > > > > > > > > > > > > > view. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > On Thu, Feb 9, 2017 > > at > > >> > 11:29 > > >> > > > AM, > > >> > > > > > Jun > > >> > > > > > > > > Rao < > > >> > > > > > > > > > > > > > > >> > j...@confluent.io > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Hi, Mayuresh, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks for the > > >> reply. A > > >> > > few > > >> > > > > more > > >> > > > > > > > > > comments > > >> > > > > > > > > > > > > below. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > On Wed, Feb 8, > 2017 > > >> at > > >> > > 9:14 > > >> > > > > PM, > > >> > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > Gharat > > >> > > > > > > > > > > > > > < > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > gharatmayures...@gmail.com> > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Hi Jun, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks for the > > >> review. > > >> > > > > Please > > >> > > > > > > find > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > responses > > >> > > > > > > > > > > > > > > >> > > inline. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 1. It seems the > > >> > problem > > >> > > > that > > >> > > > > > you > > >> > > > > > > > are > > >> > > > > > > > > > > > trying > > >> > > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> > address > > >> > > > > > > > > > > > > > > >> > > is > > >> > > > > > > > > > > > > > > >> > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > > java > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > principal > > returned > > >> > from > > >> > > > > > > > KafkaChannel > > >> > > > > > > > > > may > > >> > > > > > > > > > > > > have > > >> > > > > > > > > > > > > > > >> > > additional > > >> > > > > > > > > > > > > > > >> > > > > > fields > > >> > > > > > > > > > > > > > > >> > > > > > > > > than > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > name > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > that are needed > > >> during > > >> > > > > > > > > authorization. > > >> > > > > > > > > > > Have > > >> > > > > > > > > > > > > you > > >> > > > > > > > > > > > > > > >> > > > considered a > > >> > > > > > > > > > > > > > > >> > > > > > > > > > customized > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > PrincipleBuilder > > >> that > > >> > > > > extracts > > >> > > > > > > all > > >> > > > > > > > > > > needed > > >> > > > > > > > > > > > > > fields > > >> > > > > > > > > > > > > > > >> from > > >> > > > > > > > > > > > > > > >> > > > java > > >> > > > > > > > > > > > > > > >> > > > > > > > > principal > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > and > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > squeezes them > as > > a > > >> > json > > >> > > in > > >> > > > > the > > >> > > > > > > > name > > >> > > > > > > > > of > > >> > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> returned > > >> > > > > > > > > > > > > > > >> > > > > > principal? > > >> > > > > > > > > > > > > > > >> > > > > > > > > Then, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > authorizer can > > just > > >> > > parse > > >> > > > > the > > >> > > > > > > json > > >> > > > > > > > > and > > >> > > > > > > > > > > > > extract > > >> > > > > > > > > > > > > > > >> needed > > >> > > > > > > > > > > > > > > >> > > > > fields. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> Yes we had > > >> > thought > > >> > > > > about > > >> > > > > > > > this. > > >> > > > > > > > > We > > >> > > > > > > > > > > > use a > > >> > > > > > > > > > > > > > > third > > >> > > > > > > > > > > > > > > >> > > party > > >> > > > > > > > > > > > > > > >> > > > > > > library > > >> > > > > > > > > > > > > > > >> > > > > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > takes > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > in the passed > in > > >> cert > > >> > > and > > >> > > > > > > creates > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > Principal. > > >> > > > > > > > > > > > > > > >> This > > >> > > > > > > > > > > > > > > >> > > > > > Principal > > >> > > > > > > > > > > > > > > >> > > > > > > > is > > >> > > > > > > > > > > > > > > >> > > > > > > > > > then > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > used by the > > >> library to > > >> > > > make > > >> > > > > > the > > >> > > > > > > > > > decision > > >> > > > > > > > > > > > > > > >> (ALLOW/DENY) > > >> > > > > > > > > > > > > > > >> > > > when > > >> > > > > > > > > > > > > > > >> > > > > we > > >> > > > > > > > > > > > > > > >> > > > > > > > call > > >> > > > > > > > > > > > > > > >> > > > > > > > > it > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > in > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the Authorizer. > > It > > >> > does > > >> > > > not > > >> > > > > > have > > >> > > > > > > > an > > >> > > > > > > > > > API > > >> > > > > > > > > > > to > > >> > > > > > > > > > > > > > > create > > >> > > > > > > > > > > > > > > >> the > > >> > > > > > > > > > > > > > > >> > > > > > Principal > > >> > > > > > > > > > > > > > > >> > > > > > > > > from > > >> > > > > > > > > > > > > > > >> > > > > > > > > > a > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > String. If it > did > > >> > > support, > > >> > > > > > still > > >> > > > > > > > we > > >> > > > > > > > > > > would > > >> > > > > > > > > > > > > have > > >> > > > > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> be > > >> > > > > > > > > > > > > > > >> > > > aware > > >> > > > > > > > > > > > > > > >> > > > > of > > >> > > > > > > > > > > > > > > >> > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > internal > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > details of the > > >> > library, > > >> > > > like > > >> > > > > > the > > >> > > > > > > > > field > > >> > > > > > > > > > > > > values > > >> > > > > > > > > > > > > > it > > >> > > > > > > > > > > > > > > >> > > creates > > >> > > > > > > > > > > > > > > >> > > > > from > > >> > > > > > > > > > > > > > > >> > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > certs, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > defaults and so > > on. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 2. Could you > > >> explain > > >> > how > > >> > > > the > > >> > > > > > > > default > > >> > > > > > > > > > > > > > authorizer > > >> > > > > > > > > > > > > > > >> works > > >> > > > > > > > > > > > > > > >> > > > now? > > >> > > > > > > > > > > > > > > >> > > > > > > > > Currently, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > code just > > compares > > >> the > > >> > > two > > >> > > > > > > > principal > > >> > > > > > > > > > > > > objects. > > >> > > > > > > > > > > > > > > Are > > >> > > > > > > > > > > > > > > >> we > > >> > > > > > > > > > > > > > > >> > > > > > converting > > >> > > > > > > > > > > > > > > >> > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > java > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > principal to a > > >> > > > > KafkaPrincipal > > >> > > > > > > > there? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> The > > >> > > > SimpleAclAuthorizer > > >> > > > > > > > > currently > > >> > > > > > > > > > > > > expects > > >> > > > > > > > > > > > > > > >> that, > > >> > > > > > > > > > > > > > > >> > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > Principal > > >> > > > > > > > > > > > > > > >> > > > > > > > > it > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > fetches from > the > > >> > Session > > >> > > > > > object > > >> > > > > > > is > > >> > > > > > > > > an > > >> > > > > > > > > > > > > instance > > >> > > > > > > > > > > > > > > of > > >> > > > > > > > > > > > > > > >> > > > > > > KafkaPrincipal. > > >> > > > > > > > > > > > > > > >> > > > > > > > > It > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > then > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > uses it compare > > >> with > > >> > the > > >> > > > > > > > > > KafkaPrincipal > > >> > > > > > > > > > > > > > > extracted > > >> > > > > > > > > > > > > > > >> > from > > >> > > > > > > > > > > > > > > >> > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > stored > > >> > > > > > > > > > > > > > > >> > > > > > > > > > ACLs. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > In > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > this case, we > can > > >> > > > construct > > >> > > > > > the > > >> > > > > > > > > > > > > KafkaPrincipal > > >> > > > > > > > > > > > > > > >> object > > >> > > > > > > > > > > > > > > >> > > on > > >> > > > > > > > > > > > > > > >> > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > fly > > >> > > > > > > > > > > > > > > >> > > > > > > > by > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > using > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the name of the > > >> > > Principal > > >> > > > as > > >> > > > > > > > > follows : > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > *val principal > = > > >> > > > > > > > session.principal* > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > *val > > >> kafkaPrincipal = > > >> > > new > > >> > > > > > > > > > > > > > > >> > > KafkaPrincipal(KafkaPrincipal. > > >> > > > > > > > > > > > > > > >> > > > > > > > USER_TYPE, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > principal.getName)* > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > I was also > > >> planning to > > >> > > get > > >> > > > > rid > > >> > > > > > > of > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > > >> principalType > > >> > > > > > > > > > > > > > > >> > > field > > >> > > > > > > > > > > > > > > >> > > > > in > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > KafkaPrincipal > as > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > it is always > set > > to > > >> > > > > *"*User*"* > > >> > > > > > > in > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > > SocketServer > > >> > > > > > > > > > > > > > > >> > > > > currently. > > >> > > > > > > > > > > > > > > >> > > > > > > > After > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > this > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > KIP, it will no > > >> longer > > >> > > be > > >> > > > > used > > >> > > > > > > in > > >> > > > > > > > > > > > > > SocketServer. > > >> > > > > > > > > > > > > > > >> But > > >> > > > > > > > > > > > > > > >> > to > > >> > > > > > > > > > > > > > > >> > > > > > maintain > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > backwards > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > compatibility > of > > >> > > > > > kafka-acls.sh, > > >> > > > > > > I > > >> > > > > > > > > > > > preserved > > >> > > > > > > > > > > > > > it. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > This is so that > in > > >> the > > >> > > > future, > > >> > > > > > we > > >> > > > > > > > can > > >> > > > > > > > > > > extend > > >> > > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> types > > >> > > > > > > > > > > > > > > >> > > like > > >> > > > > > > > > > > > > > > >> > > > > > group. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 3. Do we need > to > > >> add > > >> > the > > >> > > > > > > following > > >> > > > > > > > > > > method > > >> > > > > > > > > > > > in > > >> > > > > > > > > > > > > > > >> > > > > > PrincipalBuilder? > > >> > > > > > > > > > > > > > > >> > > > > > > > The > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > configs > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > are already > > passed > > >> in > > >> > > > > through > > >> > > > > > > > > > > configure() > > >> > > > > > > > > > > > > and > > >> > > > > > > > > > > > > > an > > >> > > > > > > > > > > > > > > >> > > > > > implementation > > >> > > > > > > > > > > > > > > >> > > > > > > > can > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > cache > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > it and use it > in > > >> > > > > > > buildPrincipal(). > > >> > > > > > > > > > It's > > >> > > > > > > > > > > > also > > >> > > > > > > > > > > > > > not > > >> > > > > > > > > > > > > > > >> > clear > > >> > > > > > > > > > > > > > > >> > > to > > >> > > > > > > > > > > > > > > >> > > > > me > > >> > > > > > > > > > > > > > > >> > > > > > > > where > > >> > > > > > > > > > > > > > > >> > > > > > > > > we > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > call > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > the new and the > > old > > >> > > > method, > > >> > > > > > and > > >> > > > > > > > > > whether > > >> > > > > > > > > > > > both > > >> > > > > > > > > > > > > > > will > > >> > > > > > > > > > > > > > > >> be > > >> > > > > > > > > > > > > > > >> > > > called > > >> > > > > > > > > > > > > > > >> > > > > > or > > >> > > > > > > > > > > > > > > >> > > > > > > > one > > >> > > > > > > > > > > > > > > >> > > > > > > > > of > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > them > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > will be called. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Principal > > >> > > > > > > > buildPrincipal(Map<String, > > >> > > > > > > > > > ?> > > >> > > > > > > > > > > > > > > >> > > > principalConfigs); > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> My thought > > was > > >> > that > > >> > > > the > > >> > > > > > > > > > configure() > > >> > > > > > > > > > > > > > method > > >> > > > > > > > > > > > > > > >> will > > >> > > > > > > > > > > > > > > >> > be > > >> > > > > > > > > > > > > > > >> > > > > used > > >> > > > > > > > > > > > > > > >> > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > build > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > PrincipalBuilder > > >> class > > >> > > > > object > > >> > > > > > > > > itself. > > >> > > > > > > > > > It > > >> > > > > > > > > > > > > > follows > > >> > > > > > > > > > > > > > > >> the > > >> > > > > > > > > > > > > > > >> > > same > > >> > > > > > > > > > > > > > > >> > > > > way > > >> > > > > > > > > > > > > > > >> > > > > > > as > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Authorizer > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > gets > configured. > > >> The > > >> > > > > > > > > > > > > > buildPrincipal(Map<String, > > >> > > > > > > > > > > > > > > ?> > > >> > > > > > > > > > > > > > > >> > > > > > > > > principalConfigs) > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > will > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > be used to > build > > >> > > > individual > > >> > > > > > > > > > principals. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Let me give an > > >> > example, > > >> > > > with > > >> > > > > > the > > >> > > > > > > > > > > > > > kafka-acls.sh : > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > - > > >> bin/kafka-acls.sh > > >> > > > > > > > > > > --principalBuilder > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > userDefinedPackage.kafka. > > >> > > > > > > > > > > > > > > >> > security.PrincipalBuilder > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > --principalBuilder-properties > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > principalBuilderService.rest.u > > >> > > > > > > > > > rl=URL > > >> > > > > > > > > > > > > > > >> > --authorizer > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > kafka.security.auth. > > >> > > > > > > > > > > > SimpleAclAuthorizer > > >> > > > > > > > > > > > > > > >> > > > > > > > --authorizer-properties > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > zookeeper.connect=localhost: > > >> > > > > > > > 2181 > > >> > > > > > > > > > > --add > > >> > > > > > > > > > > > > > > >> > > > > --allow-principal > > >> > > > > > > > > > > > > > > >> > > > > > > > > name=bob > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> type=USER_PRINCIPAL > > >> > > > > > > > > > --allow-principal > > >> > > > > > > > > > > > > > > >> > > > > > > name=ALPHA-GAMMA-SERVICE > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > type=SERVICE_PRINCIPAL > > >> > > > > > > > > > --allow-hosts > > >> > > > > > > > > > > > > > > >> Host1,Host2 > > >> > > > > > > > > > > > > > > >> > > > > > > --operations > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Read,Write > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > --topic > > >> Test-topic > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 1. > > >> > > > > > > > *userDefinedPackage.kafka. > > >> > > > > > > > > > > > > > > >> > > > > > security.PrincipalBuilder* > > >> > > > > > > > > > > > > > > >> > > > > > > is > > >> > > > > > > > > > > > > > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > user > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > defined > > >> > > > > PrincipalBuilder > > >> > > > > > > > > class. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 2. > > >> > > > > > > > > > *principalBuilderService.rest. > > >> > > > > > > > > > > > > > url=URL* > > >> > > > > > > > > > > > > > > >> can > > >> > > > > > > > > > > > > > > >> > > be a > > >> > > > > > > > > > > > > > > >> > > > > > > remote > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > service > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > that > > provides > > >> > you > > >> > > an > > >> > > > > > HTTP > > >> > > > > > > > > > endpoint > > >> > > > > > > > > > > > > which > > >> > > > > > > > > > > > > > > >> takes > > >> > > > > > > > > > > > > > > >> > > in a > > >> > > > > > > > > > > > > > > >> > > > > set > > >> > > > > > > > > > > > > > > >> > > > > > > of > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > parameters and > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > provides > > you > > >> > with > > >> > > > the > > >> > > > > > > > > Principal. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 3. > > *name=bob > > >> > > > > > > > > > type=USER_PRINCIPAL* > > >> > > > > > > > > > > > can > > >> > > > > > > > > > > > > be > > >> > > > > > > > > > > > > > > >> used > > >> > > > > > > > > > > > > > > >> > by > > >> > > > > > > > > > > > > > > >> > > > > > > > > > PrincipalBuilder > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > create > > >> > > UserPrincipal > > >> > > > > > with > > >> > > > > > > > name > > >> > > > > > > > > > as > > >> > > > > > > > > > > > bob > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 4. > > >> > > > > > > *name=ALPHA-GAMMA-SERVICE > > >> > > > > > > > > > > > > > > >> > > type=SERVICE_PRINCIPAL > > >> > > > > > > > > > > > > > > >> > > > > > *can > > >> > > > > > > > > > > > > > > >> > > > > > > be > > >> > > > > > > > > > > > > > > >> > > > > > > > > > used > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > by > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> PrincipalBuilder > > >> > > to > > >> > > > > > > create a > > >> > > > > > > > > > > > > > > >> ServicePrincipal > > >> > > > > > > > > > > > > > > >> > > with > > >> > > > > > > > > > > > > > > >> > > > > name > > >> > > > > > > > > > > > > > > >> > > > > > > as > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > ALPHA-GAMMA-SERVICE. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > - This seems > > >> more > > >> > > > > flexible > > >> > > > > > > and > > >> > > > > > > > > > > > intuitive > > >> > > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > me > > >> > > > > > > > > > > > > > > >> > from > > >> > > > > > > > > > > > > > > >> > > > end > > >> > > > > > > > > > > > > > > >> > > > > > > user's > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > perspective. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Hmm, normally, > the > > >> > > > > > configurations > > >> > > > > > > > you > > >> > > > > > > > > > > > specify > > >> > > > > > > > > > > > > > for > > >> > > > > > > > > > > > > > > >> > > plug-ins > > >> > > > > > > > > > > > > > > >> > > > > > refer > > >> > > > > > > > > > > > > > > >> > > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > > those > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > needed to > construct > > >> the > > >> > > > > plug-in > > >> > > > > > > > > object. > > >> > > > > > > > > > > So, > > >> > > > > > > > > > > > > it's > > >> > > > > > > > > > > > > > > >> kind > > >> > > > > > > > > > > > > > > >> > of > > >> > > > > > > > > > > > > > > >> > > > > weird > > >> > > > > > > > > > > > > > > >> > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > use > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > to call a method. > > For > > >> > > > example, > > >> > > > > > why > > >> > > > > > > > > can't > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > >> principalBuilderService.rest. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > url > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > be passed in > > through > > >> the > > >> > > > > > > configure() > > >> > > > > > > > > > > method > > >> > > > > > > > > > > > > and > > >> > > > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > implementation > > >> > > > > > > > > > > > > > > >> > > > > > > > > can > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > use > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > that to build > > >> principal. > > >> > > > This > > >> > > > > > way, > > >> > > > > > > > > there > > >> > > > > > > > > > > is > > >> > > > > > > > > > > > > > only a > > >> > > > > > > > > > > > > > > >> > single > > >> > > > > > > > > > > > > > > >> > > > > > method > > >> > > > > > > > > > > > > > > >> > > > > > > to > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > compute > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > the principal in > a > > >> > > > consistent > > >> > > > > > way > > >> > > > > > > in > > >> > > > > > > > > the > > >> > > > > > > > > > > > > broker > > >> > > > > > > > > > > > > > > and > > >> > > > > > > > > > > > > > > >> in > > >> > > > > > > > > > > > > > > >> > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > kafka-acl > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > tool. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > For LinkedIn's > use > > >> case, > > >> > > do > > >> > > > > you > > >> > > > > > > > > actually > > >> > > > > > > > > > > use > > >> > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > kafka-acl > > >> > > > > > > > > > > > > > > >> > > > > > tool? > > >> > > > > > > > > > > > > > > >> > > > > > > My > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > understanding is > > that > > >> > > > LinkedIn > > >> > > > > > > does > > >> > > > > > > > > > > > > > authorization > > >> > > > > > > > > > > > > > > >> > through > > >> > > > > > > > > > > > > > > >> > > > an > > >> > > > > > > > > > > > > > > >> > > > > > > > external > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > tool. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > It seems it's > > >> simpler if > > >> > > > > > kafka-acl > > >> > > > > > > > > > doesn't > > >> > > > > > > > > > > > to > > >> > > > > > > > > > > > > > need > > >> > > > > > > > > > > > > > > >> to > > >> > > > > > > > > > > > > > > >> > > > > > understand > > >> > > > > > > > > > > > > > > >> > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > principal > builder. > > >> The > > >> > > tool > > >> > > > > does > > >> > > > > > > > > > > > authorization > > >> > > > > > > > > > > > > > > based > > >> > > > > > > > > > > > > > > >> > on a > > >> > > > > > > > > > > > > > > >> > > > > > string > > >> > > > > > > > > > > > > > > >> > > > > > > > > name, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > which is expected > > to > > >> > match > > >> > > > the > > >> > > > > > > > > principal > > >> > > > > > > > > > > > name. > > >> > > > > > > > > > > > > > So, > > >> > > > > > > > > > > > > > > >> I am > > >> > > > > > > > > > > > > > > >> > > > > > wondering > > >> > > > > > > > > > > > > > > >> > > > > > > > why > > >> > > > > > > > > > > > > > > >> > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > tool needs to > know > > >> the > > >> > > > > principal > > >> > > > > > > > > > builder. > > >> > > > > > > > > > > > What > > >> > > > > > > > > > > > > > if > > >> > > > > > > > > > > > > > > we > > >> > > > > > > > > > > > > > > >> > only > > >> > > > > > > > > > > > > > > >> > > > > make > > >> > > > > > > > > > > > > > > >> > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > following > changes: > > >> pass > > >> > > the > > >> > > > > java > > >> > > > > > > > > > principal > > >> > > > > > > > > > > > in > > >> > > > > > > > > > > > > > > >> session > > >> > > > > > > > > > > > > > > >> > and > > >> > > > > > > > > > > > > > > >> > > > in > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > SimpleAuthorizer, > > >> > > construct > > >> > > > > > > > > > KafkaPrincipal > > >> > > > > > > > > > > > > from > > >> > > > > > > > > > > > > > > java > > >> > > > > > > > > > > > > > > >> > > > > principal > > >> > > > > > > > > > > > > > > >> > > > > > > > name. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > Will > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > that work for > > >> LinkedIn? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Principal > > >> > > > > > > > buildPrincipal(Map<String, > > >> > > > > > > > > > ?> > > >> > > > > > > > > > > > > > > >> > > principalConfigs) > > >> > > > > > > > > > > > > > > >> > > > > > will > > >> > > > > > > > > > > > > > > >> > > > > > > be > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > called > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > from the > > >> commandline > > >> > > > client > > >> > > > > > > > > > > kafka-acls.sh > > >> > > > > > > > > > > > > > while > > >> > > > > > > > > > > > > > > >> the > > >> > > > > > > > > > > > > > > >> > > other > > >> > > > > > > > > > > > > > > >> > > > > API > > >> > > > > > > > > > > > > > > >> > > > > > > can > > >> > > > > > > > > > > > > > > >> > > > > > > > > be > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > called > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > at runtime when > > >> Kafka > > >> > > > > > receives a > > >> > > > > > > > > > client > > >> > > > > > > > > > > > > > request > > >> > > > > > > > > > > > > > > >> over > > >> > > > > > > > > > > > > > > >> > > > > request > > >> > > > > > > > > > > > > > > >> > > > > > > > > channel. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > 4. The KIP has > > "If > > >> > users > > >> > > > use > > >> > > > > > > there > > >> > > > > > > > > > > custom > > >> > > > > > > > > > > > > > > >> > > > PrincipalBuilder, > > >> > > > > > > > > > > > > > > >> > > > > > > they > > >> > > > > > > > > > > > > > > >> > > > > > > > > will > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > have > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > to implement > > there > > >> > > custom > > >> > > > > > > > Authorizer > > >> > > > > > > > > > as > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > out > > >> > > > > > > > > > > > > > > of > > >> > > > > > > > > > > > > > > >> > box > > >> > > > > > > > > > > > > > > >> > > > > > > Authorizer > > >> > > > > > > > > > > > > > > >> > > > > > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Kafka provides > > uses > > >> > > > > > > > KafkaPrincipal." > > >> > > > > > > > > > > This > > >> > > > > > > > > > > > is > > >> > > > > > > > > > > > > > not > > >> > > > > > > > > > > > > > > >> > ideal > > >> > > > > > > > > > > > > > > >> > > > for > > >> > > > > > > > > > > > > > > >> > > > > > > > existing > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > users. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Could we avoid > > >> that? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > ---> Yes, this > is > > >> > > possible > > >> > > > > to > > >> > > > > > > > avoid > > >> > > > > > > > > if > > >> > > > > > > > > > > we > > >> > > > > > > > > > > > do > > >> > > > > > > > > > > > > > > >> point 2. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > On Wed, Feb 8, > > >> 2017 at > > >> > > > 3:31 > > >> > > > > > PM, > > >> > > > > > > > Jun > > >> > > > > > > > > > Rao > > >> > > > > > > > > > > < > > >> > > > > > > > > > > > > > > >> > > > j...@confluent.io> > > >> > > > > > > > > > > > > > > >> > > > > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Hi, Mayuresh, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks for > the > > >> KIP. > > >> > A > > >> > > > few > > >> > > > > > > > comments > > >> > > > > > > > > > > > below. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 1. It seems > the > > >> > > problem > > >> > > > > that > > >> > > > > > > you > > >> > > > > > > > > are > > >> > > > > > > > > > > > > trying > > >> > > > > > > > > > > > > > to > > >> > > > > > > > > > > > > > > >> > > address > > >> > > > > > > > > > > > > > > >> > > > is > > >> > > > > > > > > > > > > > > >> > > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > > > java > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > principal > > >> returned > > >> > > from > > >> > > > > > > > > KafkaChannel > > >> > > > > > > > > > > may > > >> > > > > > > > > > > > > > have > > >> > > > > > > > > > > > > > > >> > > > additional > > >> > > > > > > > > > > > > > > >> > > > > > > fields > > >> > > > > > > > > > > > > > > >> > > > > > > > > > than > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > name > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > that are > needed > > >> > during > > >> > > > > > > > > > authorization. > > >> > > > > > > > > > > > Have > > >> > > > > > > > > > > > > > you > > >> > > > > > > > > > > > > > > >> > > > > considered a > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > customized > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > PrincipleBuilder > > >> > that > > >> > > > > > extracts > > >> > > > > > > > all > > >> > > > > > > > > > > > needed > > >> > > > > > > > > > > > > > > fields > > >> > > > > > > > > > > > > > > >> > from > > >> > > > > > > > > > > > > > > >> > > > > java > > >> > > > > > > > > > > > > > > >> > > > > > > > > > principal > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > and > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > squeezes them > > as > > >> a > > >> > > json > > >> > > > in > > >> > > > > > the > > >> > > > > > > > > name > > >> > > > > > > > > > of > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> returned > > >> > > > > > > > > > > > > > > >> > > > > > > principal? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > Then, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > authorizer > can > > >> just > > >> > > > parse > > >> > > > > > the > > >> > > > > > > > json > > >> > > > > > > > > > and > > >> > > > > > > > > > > > > > extract > > >> > > > > > > > > > > > > > > >> > needed > > >> > > > > > > > > > > > > > > >> > > > > > fields. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 2. Could you > > >> explain > > >> > > how > > >> > > > > the > > >> > > > > > > > > default > > >> > > > > > > > > > > > > > > authorizer > > >> > > > > > > > > > > > > > > >> > works > > >> > > > > > > > > > > > > > > >> > > > > now? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > Currently, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > code just > > >> compares > > >> > the > > >> > > > two > > >> > > > > > > > > principal > > >> > > > > > > > > > > > > > objects. > > >> > > > > > > > > > > > > > > >> Are > > >> > > > > > > > > > > > > > > >> > we > > >> > > > > > > > > > > > > > > >> > > > > > > converting > > >> > > > > > > > > > > > > > > >> > > > > > > > > the > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > java > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > principal to > a > > >> > > > > > KafkaPrincipal > > >> > > > > > > > > there? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 3. Do we need > > to > > >> add > > >> > > the > > >> > > > > > > > following > > >> > > > > > > > > > > > method > > >> > > > > > > > > > > > > in > > >> > > > > > > > > > > > > > > >> > > > > > > PrincipalBuilder? > > >> > > > > > > > > > > > > > > >> > > > > > > > > The > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > configs > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > are already > > >> passed > > >> > in > > >> > > > > > through > > >> > > > > > > > > > > > configure() > > >> > > > > > > > > > > > > > and > > >> > > > > > > > > > > > > > > an > > >> > > > > > > > > > > > > > > >> > > > > > > implementation > > >> > > > > > > > > > > > > > > >> > > > > > > > > can > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > cache > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > it and use it > > in > > >> > > > > > > > buildPrincipal(). > > >> > > > > > > > > > > It's > > >> > > > > > > > > > > > > also > > >> > > > > > > > > > > > > > > not > > >> > > > > > > > > > > > > > > >> > > clear > > >> > > > > > > > > > > > > > > >> > > > to > > >> > > > > > > > > > > > > > > >> > > > > > me > > >> > > > > > > > > > > > > > > >> > > > > > > > > where > > >> > > > > > > > > > > > > > > >> > > > > > > > > > we > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > call > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > the new and > the > > >> old > > >> > > > > method, > > >> > > > > > > and > > >> > > > > > > > > > > whether > > >> > > > > > > > > > > > > both > > >> > > > > > > > > > > > > > > >> will > > >> > > > > > > > > > > > > > > >> > be > > >> > > > > > > > > > > > > > > >> > > > > called > > >> > > > > > > > > > > > > > > >> > > > > > > or > > >> > > > > > > > > > > > > > > >> > > > > > > > > one > > >> > > > > > > > > > > > > > > >> > > > > > > > > > of > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > them > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > will be > called. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Principal > > >> > > > > > > > > buildPrincipal(Map<String, > > >> > > > > > > > > > > ?> > > >> > > > > > > > > > > > > > > >> > > > > principalConfigs); > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > 4. The KIP > has > > >> "If > > >> > > users > > >> > > > > use > > >> > > > > > > > there > > >> > > > > > > > > > > > custom > > >> > > > > > > > > > > > > > > >> > > > > PrincipalBuilder, > > >> > > > > > > > > > > > > > > >> > > > > > > > they > > >> > > > > > > > > > > > > > > >> > > > > > > > > > will > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > have > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > to implement > > >> there > > >> > > > custom > > >> > > > > > > > > Authorizer > > >> > > > > > > > > > > as > > >> > > > > > > > > > > > > the > > >> > > > > > > > > > > > > > > out > > >> > > > > > > > > > > > > > > >> of > > >> > > > > > > > > > > > > > > >> > > box > > >> > > > > > > > > > > > > > > >> > > > > > > > Authorizer > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > that > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Kafka > provides > > >> uses > > >> > > > > > > > > KafkaPrincipal." > > >> > > > > > > > > > > > This > > >> > > > > > > > > > > > > is > > >> > > > > > > > > > > > > > > not > > >> > > > > > > > > > > > > > > >> > > ideal > > >> > > > > > > > > > > > > > > >> > > > > for > > >> > > > > > > > > > > > > > > >> > > > > > > > > existing > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > users. > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Could we > avoid > > >> that? > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > Jun > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > On Fri, Feb > 3, > > >> 2017 > > >> > at > > >> > > > > 11:25 > > >> > > > > > > AM, > > >> > > > > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > > > >> Gharat < > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > gharatmayures...@gmail.com > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > wrote: > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Hi All, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > It seems > that > > >> > there > > >> > > is > > >> > > > > no > > >> > > > > > > > > further > > >> > > > > > > > > > > > > concern > > >> > > > > > > > > > > > > > > with > > >> > > > > > > > > > > > > > > >> > the > > >> > > > > > > > > > > > > > > >> > > > > > KIP-111. > > >> > > > > > > > > > > > > > > >> > > > > > > > At > > >> > > > > > > > > > > > > > > >> > > > > > > > > > this > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > point > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > we would > like > > >> to > > >> > > start > > >> > > > > the > > >> > > > > > > > > voting > > >> > > > > > > > > > > > > process. > > >> > > > > > > > > > > > > > > The > > >> > > > > > > > > > > > > > > >> > KIP > > >> > > > > > > > > > > > > > > >> > > > can > > >> > > > > > > > > > > > > > > >> > > > > be > > >> > > > > > > > > > > > > > > >> > > > > > > > found > > >> > > > > > > > > > > > > > > >> > > > > > > > > > at > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > https://cwiki.apache.org/ > > >> > > > > > > > > > > > > > > >> > confluence/pages/viewpage > > >> > > > > > > > > > > > > > > >> > > . > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > action?pageId=67638388 > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > Mayuresh > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > -- > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > -Regards, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > Mayuresh R. > > Gharat > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > (862) 250-7125 > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Thanks, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > Jun > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > -- > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > -Regards, > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > Mayuresh R. Gharat > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > (862) 250-7125 > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > -- > > >> > > > > > > > > > > > > > > >> > > > > -Regards, > > >> > > > > > > > > > > > > > > >> > > > > Mayuresh R. Gharat > > >> > > > > > > > > > > > > > > >> > > > > (862) 250-7125 > > >> > > > > > > > > > > > > > > >> > > > > > > >> > > > > > > > > > > > > > > >> > > > > > >> > > > > > > > > > > > > > > >> > > > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > -- > > >> > > > > > > > > > > > > > > >> > -Regards, > > >> > > > > > > > > > > > > > > >> > Mayuresh R. Gharat > > >> > > > > > > > > > > > > > > >> > (862) 250-7125 > > >> > > > > > > > > > > > > > > >> > > > >> > > > > > > > > > > > > > > >> > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > -- > > >> > > > > > > > > > > > > > > > -Regards, > > >> > > > > > > > > > > > > > > > Mayuresh R. Gharat > > >> > > > > > > > > > > > > > > > (862) 250-7125 > > >> > > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > -- > > >> > > > > > > > > > > > > > > -Regards, > > >> > > > > > > > > > > > > > > Mayuresh R. Gharat > > >> > > > > > > > > > > > > > > (862) 250-7125 > > >> > > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > -- > > >> > > > > > > > > > > > > -Regards, > > >> > > > > > > > > > > > > Mayuresh R. Gharat > > >> > > > > > > > > > > > > (862) 250-7125 > > >> > > > > > > > > > > > > > > >> > > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > > > >> > > > > > > > > > > -- > > >> > > > > > > > > > > -Regards, > > >> > > > > > > > > > > Mayuresh R. Gharat > > >> > > > > > > > > > > (862) 250-7125 > > >> > > > > > > > > > > > > >> > > > > > > > > > > > >> > > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > > > >> > > > > > > > -- > > >> > > > > > > > -Regards, > > >> > > > > > > > Mayuresh R. Gharat > > >> > > > > > > > (862) 250-7125 > > >> > > > > > > > > > >> > > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > > > >> > > > > > -- > > >> > > > > > -Regards, > > >> > > > > > Mayuresh R. Gharat > > >> > > > > > (862) 250-7125 > > >> > > > > > > > >> > > > > > > >> > > > > > >> > > > > >> > > > > >> > > > > >> > > -- > > >> > > -Regards, > > >> > > Mayuresh R. Gharat > > >> > > (862) 250-7125 > > >> > > > > >> > > > >> > > > > > > > > > > > > -- > > > -Regards, > > > Mayuresh R. Gharat > > > (862) 250-7125 > > > > > > > > > > > -- > > -Regards, > > Mayuresh R. Gharat > > (862) 250-7125 > > > -- -Regards, Mayuresh R. Gharat (862) 250-7125