Re: [VOTE] KIP-519: Make SSL context/engine configuration extensible

[Zhou, Thomas]

+1 (non-binding)

Regards,
Thomas

On 3/26/20, 12:36 PM, "Rajini Sivaram"  wrote:

+1 (binding)
Thanks for the KIP, Maulin!

Regards,

Rajini

On Thu, Mar 26, 2020 at 4:14 PM Maulin Vasavada 
wrote:

> FYI - we have updated the KIP documentation also with appropriate code
> samples for interfaces and few important changes.
>
> Thanks
> Maulin
>
> On Wed, Mar 25, 2020 at 10:21 AM Maulin Vasavada <
> maulin.vasav...@gmail.com>
> wrote:
>
> > bump
> >
> > On Wed, Mar 25, 2020 at 10:20 AM Maulin Vasavada <
> > maulin.vasav...@gmail.com> wrote:
> >
> >> Hi all
> >>
> >> After much await on the approach conclusion we have a PR
> >> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fapache%2Fkafka%2Fpull%2F8338&data=01%7C01%7Cthzhou%40paypal.com%7C4520b56f3b1f44cceddb08d7d1bd052a%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=1ydk0OMaucb8QhTyyQ8Ua3ereGzcS4usRlavU1RixkE%3D&reserved=0.
> >>
> >> Can you please provide your vote so that we can more this forward?
> >>
> >> Thanks
> >> Maulin
> >>
> >> On Sun, Jan 26, 2020 at 11:03 PM Maulin Vasavada <
> >> maulin.vasav...@gmail.com> wrote:
> >>
> >>> Hi all
> >>>
> >>> After a good discussion on the KIP at
> >>> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.mail-archive.com%2Fdev%40kafka.apache.org%2Fmsg101011.html&data=01%7C01%7Cthzhou%40paypal.com%7C4520b56f3b1f44cceddb08d7d1bd052a%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=qsvbqkoxL6NSPDV6rm9B9xqZG5xvYaZkj0cYrTM6bPw%3D&reserved=0
 I
> >>> think we are ready to start voting.
> >>>
> >>> KIP:
> >>>
> 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fpages%2Fviewpage.action%3FpageId%3D128650952&data=01%7C01%7Cthzhou%40paypal.com%7C4520b56f3b1f44cceddb08d7d1bd052a%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=rcqWc2inIbrWlMj2jssHPKcMlHuDuLvicmYHHDYWrF8%3D&reserved=0
> >>>
> >>> The KIP proposes - Making SSLEngine creation pluggable to support
> >>> customization of various security related aspects.
> >>>
> >>> Thanks
> >>> Maulin
> >>>
> >>
>

Re: [DISCUSS] KIP-515: Enable ZK client to use the new TLS supported authentication

[Zhou, Thomas]

Hi Pere,

It is a very meaningful KIP to make kafka broker -> ZK connection secured.
In the meanwhile, there is another KIP under discussion talking about making 
SSLContext pluggle on broker side - 
https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=128650952. 
Instead of putting credentials on file, this can load credentials in a custom 
way into cache.
I think for Zookeeper this feature can also be valid. 
Could you please kindly take a look at that KIP and take the idea into 
consideration?

Thanks,
Thomas

On 9/2/19, 5:23 AM, "Pere Urbón Bayes"  wrote:

Thanks for your time Harsha,
   anyone else with comments? looking forward to hearing from you.

Stupid question: when do you move from discussion to vote?

Missatge de Harsha Chintalapani  del dia dv., 30 d’ag.
2019 a les 21:59:

> Thanks Pere. KIP looks good to me.
> -Harsha
>
>
> On Fri, Aug 30, 2019 at 10:05 AM, Pere Urbón Bayes 
> wrote:
>
>> Not really,
>>   my idea is to keep the JAAS parameter, so people don't see major
>> changes. But if you pass a properties file, then this takes precedence 
over
>> the other, with the idea that you can do sasl as well with the properties
>> files.
>>
>> Makes sense?
>>
>> -- Pere
>>
>> Missatge de Harsha Chintalapani  del dia dv., 30 d’ag.
>> 2019 a les 19:00:
>>
>>> Hi Pere,
>>>   Thanks for the KIP. Enabling SSL for zookeeper for Kafka makes
>>> sense.
>>> "The changes are planned to be introduced in a compatible way, by
>>> keeping the current JAAS variable precedence."
>>> Can you elaborate a bit here. If the user configures a JAAS file with
>>> Client section it will take precedence over zookeeper SSL configs?
>>>
>>> Thanks,
>>> Harsha
>>>
>>>
>>>
>>> On Fri, Aug 30, 2019 at 7:50 AM, Pere Urbón Bayes 
>>> wrote:
>>>
 Hi,
 quick question, I saw in another mail that 2.4 release is planned for
 September. I think it would be really awesome to have this for this
 release, do you think we can make it?

 -- Pere

 Missatge de Pere Urbón Bayes  del dia dj., 29
 d’ag. 2019 a les 20:10:

 Hi,
 this is my first KIP for a change in Apache Kafka, so I'm really need
 to the process. Looking forward to hearing from you and learn the best
 ropes here.

 I would like to propose this KIP-515 to enable the ZookeeperClients to
 take full advantage of the TLS communication in the new Zookeeper 
3.5.5.
 Specially interesting it the Zookeeper Security Migration, that without
 this change will not work with TLS, disabling users to use ACLs when 
the
 Zookeeper cluster use TLS.

 link:

 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcwiki.apache.org%2Fconfluence%2Fdisplay%2FKAFKA%2FKIP-515%253A%2BEnable%2BZK%2Bclient%2Bto%2Buse%2Bthe%2Bnew%2BTLS%2Bsupported%2Bauthentication&data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=PrNRY3teOpZ4cvmI%2FIGofhZhOs5lb2b7b5Hif9jTYH0%3D&reserved=0

 Looking forward to hearing from you on this,

 /cheers

 --
 Pere Urbon-Bayes
 Software Architect
 
https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.purbon.com&data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=tXdEiq2%2BeivI2Xo9a3r2c6v9LRK4eXp6sFovEzZ7NEY%3D&reserved=0
 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fpurbon&data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=hht3hwCEu0kS4feTn58HO36Rw2rgF7wSrfn8VRyzzU4%3D&reserved=0
 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpurbon%2F&data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=XOPFUsKlAT7TxfF%2Ff%2BAKdN1r4lFg5reE8%2F7mbvWq5UI%3D&reserved=0

 --
 Pere Urbon-Bayes
 Software Architect
 
https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.purbon.com&data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=tXdEiq2%2BeivI2Xo9a3r2c6v9LRK4eXp6sFovEzZ7NEY%3D&reserved=0
 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fpurbon&data=01%7C01%7Cthzhou%40paypal.com%7C5d7c9fe278a44846502e08d72fa05dab%7Cfb00791460204374977e21bac5f3f4c8%7C1&sdata=hht3hwCEu0kS4feTn58HO36Rw2rgF7wSrfn8VRyzzU4%3D&reserved=0
 
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fpurbon%2F&d

Question about integrating kafka broker with a service

[Zhou, Thomas]

Hi,

I am one of the Kafka users and I have a question about how to integrate our 
service with Kafka. Basically, we want to enable Kafka with TLS and we want to 
enable mutual authentication use SSL context. We’ve already got a service which 
will sign the cert and manage the key. Our goal is to let Kafka broker side and 
client side integrate this service so people will not need to worry about 
rotating the key and other stuff. I know that kafka design is un-pluggable, but 
can I get some advice about how difficult it is to make kafka pluggable with a 
service as I mentioned.
I will really appreciate if you could give some advice.


Thanks & Regards,
Thomas