[jira] [Commented] (KAFKA-3186) Kafka authorizer should be aware of principal types it supports.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15137360#comment-15137360 ] Ashish K Singh commented on KAFKA-3186: --- [~gwenshap] mind taking a look at this. It will be nice to have this in 0.9.0.1. > Kafka authorizer should be aware of principal types it supports. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Affects Versions: 0.9.0.0 >Reporter: Ashish K Singh >Assignee: Ashish K Singh > Fix For: 0.9.0.1 > > > Currently, Kafka authorizer is agnostic of principal types it supports, so > are the acls CRUD methods in {{kafka.security.auth.Authorizer}}. The intent > behind is to keep Kafka authorization pluggable, which is really great. > However, this leads to following issues. > 1. {{kafka-acls.sh}} supports pluggable authorizer and custom principals, > however is some what integrated with {{SimpleAclsAuthorizer}}. The help > messages has details which might not be true for a custom authorizer. For > instance, assuming User is a supported PrincipalType. > 2. Acls CRUD methods perform no check on validity of acls, as they are not > aware of what principal types the support. This opens up space for lots of > user errors, KAFKA-3097 is an instance. > I suggest we add a {{getSupportedPrincipalTypes}} method to authorizer and > use that for acls verification during acls CRUD, and make {{kafka-acls.sh}} > help messages more generic. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-3186) Kafka authorizer should be aware of principal types it supports.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15131490#comment-15131490 ] ASF GitHub Bot commented on KAFKA-3186: --- GitHub user SinghAsDev opened a pull request: https://github.com/apache/kafka/pull/861 KAFKA-3186: Make Kafka authorizer aware of principal types it supports. You can merge this pull request into a Git repository by running: $ git pull https://github.com/SinghAsDev/kafka KAFKA-3186 Alternatively you can review and apply these changes as the patch at: https://github.com/apache/kafka/pull/861.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #861 commit 0617c75ee808d58009afdaf976fc1ae455cfb2e8 Author: Ashish SinghDate: 2016-02-04T01:06:29Z KAFKA-3186: Make Kafka authorizer aware of principal types it supports. > Kafka authorizer should be aware of principal types it supports. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Reporter: Ashish K Singh >Assignee: Ashish K Singh > > Currently, Kafka authorizer is agnostic of principal types it supports, so > are the acls CRUD methods in {{kafka.security.auth.Authorizer}}. The intent > behind is to keep Kafka authorization pluggable, which is really great. > However, this leads to following issues. > 1. {{kafka-acls.sh}} supports pluggable authorizer and custom principals, > however is some what integrated with {{SimpleAclsAuthorizer}}. The help > messages has details which might not be true for a custom authorizer. For > instance, assuming User is a supported PrincipalType. > 2. Acls CRUD methods perform no check on validity of acls, as they are not > aware of what principal types the support. This opens up space for lots of > user errors, KAFKA-3097 is an instance. > I suggest we add a {{getSupportedPrincipalTypes}} method to authorizer and > use that for acls verification during acls CRUD, and make {{kafka-acls.sh}} > help messages more generic. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-3186) Kafka authorizer should be aware of principal types it supports.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15128743#comment-15128743 ] Gwen Shapira commented on KAFKA-3186: - Got it. In this case, the suggestion makes sense. The implementation will need to be backward compatible, of course - so make sure you default to 'user' principal type. > Kafka authorizer should be aware of principal types it supports. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Reporter: Ashish K Singh >Assignee: Ashish K Singh > > Currently, Kafka authorizer is agnostic of principal types it supports, so > are the acls CRUD methods in {{kafka.security.auth.Authorizer}}. The intent > behind is to keep Kafka authorization pluggable, which is really great. > However, this leads to following issues. > 1. {{kafka-acls.sh}} supports pluggable authorizer and custom principals, > however is some what integrated with {{SimpleAclsAuthorizer}}. The help > messages has details which might not be true for a custom authorizer. For > instance, assuming User is a supported PrincipalType. > 2. Acls CRUD methods perform no check on validity of acls, as they are not > aware of what principal types the support. This opens up space for lots of > user errors, KAFKA-3097 is an instance. > I suggest we add a {{getSupportedPrincipalTypes}} method to authorizer and > use that for acls verification during acls CRUD, and make {{kafka-acls.sh}} > help messages more generic. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-3186) Kafka authorizer should be aware of principal types it supports.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15128067#comment-15128067 ] Ismael Juma commented on KAFKA-3186: The CLI is actually meant to work with pluggable authorizers too, see the following option: {code} val authorizerOpt = parser.accepts("authorizer", "Fully qualified class name of the authorizer, defaults to kafka.security.auth.SimpleAclAuthorizer.") {code} Not sure if anyone has managed to use it with a custom authorizer though. > Kafka authorizer should be aware of principal types it supports. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Reporter: Ashish K Singh >Assignee: Ashish K Singh > > Currently, Kafka authorizer is agnostic of principal types it supports, so > are the acls CRUD methods in {{kafka.security.auth.Authorizer}}. The intent > behind is to keep Kafka authorization pluggable, which is really great. > However, this leads to following issues. > 1. {{kafka-acls.sh}} supports pluggable authorizer and custom principals, > however is some what integrated with {{SimpleAclsAuthorizer}}. The help > messages has details which might not be true for a custom authorizer. For > instance, assuming User is a supported PrincipalType. > 2. Acls CRUD methods perform no check on validity of acls, as they are not > aware of what principal types the support. This opens up space for lots of > user errors, KAFKA-3097 is an instance. > I suggest we add a {{getSupportedPrincipalTypes}} method to authorizer and > use that for acls verification during acls CRUD, and make {{kafka-acls.sh}} > help messages more generic. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-3186) Kafka authorizer should be aware of principal types it supports.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15128661#comment-15128661 ] Ashish K Singh commented on KAFKA-3186: --- {quote} I assume you are referring to the fact that Sentry also manages Groups and Roles, so a Principal may be a group? {quote} Sentry provides role based access control and so "role" is the only principal type that will be used while creating acls. {quote} Is this specifically for the CLI, or are there other areas that are a problem? {quote} Help messages are specifically for CLI, however ACLs validation is missing from the authorizer. ACLs CRUD for now is limited to CLI though. {quote} I'm asking because unlike the authorizer API which is pluggable, the CLI is specific to the defaultAuthorizer. We are assuming that Sentry and Ranger users will use whatever GUI / CLI is provided by Sentry and Ranger. {quote} As [~ijuma] mentioned below, CLI is actually intended to support pluggable authorizer as well. I am planning on utilizing this for Sentry.I agree one can use Sentry GUI/CLI to do this, however Kafka users would like to have a seamless experience, using same CLI irrespective of backing authorizer. > Kafka authorizer should be aware of principal types it supports. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Reporter: Ashish K Singh >Assignee: Ashish K Singh > > Currently, Kafka authorizer is agnostic of principal types it supports, so > are the acls CRUD methods in {{kafka.security.auth.Authorizer}}. The intent > behind is to keep Kafka authorization pluggable, which is really great. > However, this leads to following issues. > 1. {{kafka-acls.sh}} supports pluggable authorizer and custom principals, > however is some what integrated with {{SimpleAclsAuthorizer}}. The help > messages has details which might not be true for a custom authorizer. For > instance, assuming User is a supported PrincipalType. > 2. Acls CRUD methods perform no check on validity of acls, as they are not > aware of what principal types the support. This opens up space for lots of > user errors, KAFKA-3097 is an instance. > I suggest we add a {{getSupportedPrincipalTypes}} method to authorizer and > use that for acls verification during acls CRUD, and make {{kafka-acls.sh}} > help messages more generic. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-3186) Kafka authorizer should be aware of principal types it supports.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15127213#comment-15127213 ] Ashish K Singh commented on KAFKA-3186: --- [~gwenshap] [~ijuma] I would like to know your thoughts on this, before I create a PR. > Kafka authorizer should be aware of principal types it supports. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Reporter: Ashish K Singh >Assignee: Ashish K Singh > > Currently, Kafka authorizer is agnostic of principal types it supports, so > are the acls CRUD methods in {{kafka.security.auth.Authorizer}}. The intent > behind is to keep Kafka authorization pluggable, which is really great. > However, this leads to following issues. > 1. {{kafka-acls.sh}} supports pluggable authorizer and custom principals, > however is some what integrated with {{SimpleAclsAuthorizer}}. The help > messages has details which might not be true for a custom authorizer. For > instance, assuming User is a supported PrincipalType. > 2. Acls CRUD methods perform no check on validity of acls, as they are not > aware of what principal types the support. This opens up space for lots of > user errors, KAFKA-3097 is an instance. > I suggest we add a {{getSupportedPrincipalTypes}} method to authorizer and > use that for acls verification during acls CRUD, and make {{kafka-acls.sh}} > help messages more generic. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (KAFKA-3186) Kafka authorizer should be aware of principal types it supports.
[ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15127632#comment-15127632 ] Gwen Shapira commented on KAFKA-3186: - I assume you are referring to the fact that Sentry also manages Groups and Roles, so a Principal may be a group? Is this specifically for the CLI, or are there other areas that are a problem? I'm asking because unlike the authorizer API which is pluggable, the CLI is specific to the defaultAuthorizer. We are assuming that Sentry and Ranger users will use whatever GUI / CLI is provided by Sentry and Ranger. Does that make sense? Or are you talking about something else entirely? > Kafka authorizer should be aware of principal types it supports. > > > Key: KAFKA-3186 > URL: https://issues.apache.org/jira/browse/KAFKA-3186 > Project: Kafka > Issue Type: Improvement >Reporter: Ashish K Singh >Assignee: Ashish K Singh > > Currently, Kafka authorizer is agnostic of principal types it supports, so > are the acls CRUD methods in {{kafka.security.auth.Authorizer}}. The intent > behind is to keep Kafka authorization pluggable, which is really great. > However, this leads to following issues. > 1. {{kafka-acls.sh}} supports pluggable authorizer and custom principals, > however is some what integrated with {{SimpleAclsAuthorizer}}. The help > messages has details which might not be true for a custom authorizer. For > instance, assuming User is a supported PrincipalType. > 2. Acls CRUD methods perform no check on validity of acls, as they are not > aware of what principal types the support. This opens up space for lots of > user errors, KAFKA-3097 is an instance. > I suggest we add a {{getSupportedPrincipalTypes}} method to authorizer and > use that for acls verification during acls CRUD, and make {{kafka-acls.sh}} > help messages more generic. -- This message was sent by Atlassian JIRA (v6.3.4#6332)