here
>> >
>>
>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorization+
>>I
>> >nterface#KIP-11-AuthorizationInterface-AclManagement(CLI) . I think it
>> >covers both hosts and operations and allows to specify a list for both.
>
P-11- Authorization design for kafka security
Parth,
This is a long thread, so trying to keep up here, sorry if this has been
covered before. First, great job on the KIP proposal and work so far.
Are we sure that we want to tie host level access to a given user? My
understanding is that the ACL wil
perations and allows to specify a list for both.
> >
> >Thanks
> >Parth
> >
> >From: Tom Graves mailto:tgraves...@yahoo.com>>
> >Reply-To: Tom Graves mailto:tgraves...@yahoo.com>>
> >Date: Wednesday, April 22, 2015 at 11:02 AM
> >To: Parth Brah
aves mailto:tgraves...@yahoo.com>>
>>Reply-To: Tom Graves mailto:tgraves...@yahoo.com>>
>>Date: Wednesday, April 22, 2015 at 11:02 AM
>>To: Parth Brahmbhatt
>>mailto:pbrahmbh...@hortonworks.com>>,
>>"dev@kafka.apache.org<mailto:dev@kafka.apache.org>&
gt;From: Tom Graves mailto:tgraves...@yahoo.com>>
>Reply-To: Tom Graves mailto:tgraves...@yahoo.com>>
>Date: Wednesday, April 22, 2015 at 11:02 AM
>To: Parth Brahmbhatt
>mailto:pbrahmbh...@hortonworks.com>>,
>"dev@kafka.apache.org<mailto:dev@kafka.apache.org&g
gt;>Date: Wednesday, April 22, 2015 at 11:02 AM
>>To: Parth Brahmbhatt
>>mailto:pbrahmbh...@hortonworks.com>>,
>>"dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>>mailto:dev@kafka.apache.org>>
>>Subject: Re: [DISCUSS] KIP-11- Authorizatio
April 22, 2015 at 11:02 AM
>To: Parth Brahmbhatt
>mailto:pbrahmbh...@hortonworks.com>>,
>"dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>mailto:dev@kafka.apache.org>>
>Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
>
>Thanks for the e
Parth Brahmbhatt , "dev@kafka.apache.org"
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to accidentally
give everyone access, especially since you have to run a separ
rg>>
Subject: Re: [DISCUSS] KIP-11- Authorization design for kafka security
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to accidentally
give everyone access, especially since you have to run a separate command to
change the acls. If there
Thanks for the explanations Parth.
On the configs questions, the way I see it is its more likely to accidentally
give everyone access, especially since you have to run a separate command to
change the acls. If there was some config for defaults, a cluster admin could
change that to be nobody or
FYI, I have modified the KIP to include group as resource. In order to
access “joinGroup” and “commitOFfset” APIs the user will need a read
permission on topic and WRITE permission on group.
I plan to open a VOTE thread by noon if there are no more concerns.
Thanks
Parth
On 4/22/15, 9:03 AM, "T
Hey everyone,
Sorry to jump in on the conversation so late. I'm new to Kafka. I'll apologize
in advance if you have already covered some of my questions. I read through
the wiki and had some comments and questions.
1) public enum Operation needs EDIT changed to ALTER
2) Does the Authorizer clas
I have added the notes to KIP-11 Open question sections.
Thanks
Parth
On 4/21/15, 4:49 PM, "Gwen Shapira" wrote:
>Adding my notes from today's call to the thread:
>
>** Deny or Allow all by default? We will add a configuration to
>control this. The configuration will default to “allow” for back
Adding my notes from today's call to the thread:
** Deny or Allow all by default? We will add a configuration to
control this. The configuration will default to “allow” for backward
compatibility. Security admins can set it to "deny"
** Storing ACLs for default authorizers: We'll store them in ZK
Following up on the KIP discussion. Two options for authorizing consumers
to read topic "t" as part of group "g":
1. READ permission on resource /topic/t
2. READ permission on resource /topic/t AND WRITE permission on /group/g
The advantage of (1) is that it is simpler. The disadvantage is that an
Hey Jun,
Yes and we support wild cards for all acl entities principal, hosts and
operation.
Thanks
Parth
On 4/21/15, 9:06 AM, "Jun Rao" wrote:
>Harsha, Parth,
>
>Thanks for the clarification. This makes sense. Perhaps we can clarify the
>meaning of those rules in the wiki.
>
>Related to this,
Changed Edit to Alter.
I did not think about it that way but Sriharsha raised the same point in a
private conversation. I did not think about it that way but I agree it
makes sense. If no one objects I think in default implementation we can
infer that if user have READ or WRITE access he gets DESC
Also, I think I may have missed this but does READ imply you also have
DESCRIBE? A reader will need access to both read offsets (to determine
their own initial position) as well as commit offsets. Currently, though
fetching offsets is under DESCRIBE only and commit offsets is under READ.
If READ=>D
Hey Parth,
Great write-up!
One super minor thing: could we change the "EDIT" permission to be called
"ALTER"? The request name in KIP-4 is Alter and the command line tool has
always been alter (or we could go the other way and change those to EDIT).
Not sure that one is any better than the other
Harsha, Parth,
Thanks for the clarification. This makes sense. Perhaps we can clarify the
meaning of those rules in the wiki.
Related to this, it seems that we need to support wildcard in cli/request
protocol for topics?
Jun
On Mon, Apr 20, 2015 at 9:07 PM, Parth Brahmbhatt <
pbrahmbh...@horton
I tend to agree with Parth's point here. Most ACL systems I run into have deny
and allow. In general, you have a default policy of allow, then you follow your
rules stopping at the first line that matches. If you would like a default deny
policy, you have a bunch of allow rules and your last rul
Thanks for clarifying the logic.
I'm +0 on the deny thing.
IMO, its not really needed, but if you think its important, I don't
object to having it in.
Gwen
On Mon, Apr 20, 2015 at 7:07 PM, Parth Brahmbhatt
wrote:
> The iptables on unix supports the DENY operator, not that it should
> matter. Th
The iptables on unix supports the DENY operator, not that it should
matter. The deny operator can also be used to specify ³allow user1 to READ
from topic1 from all hosts but host1,host2². Again we could add a host
group semantic and extra complexity around that, not sure if its worth it.
In additio
;> >> >> >>Hi Michael,
>>> >> >> >>
>>> >> >> >>There is code in kafka codebase that reads and interprets the
>>> >> >> >> topic
>>> >> >> >>config JSON which has acls, own
kedin.com.INVALID
>> >> >> ><mailto:mherst...@linkedin.com.INVALID>>
>> >> >> >>wrote:
>> >> >> >>
>> >> >> >>Hi Parth,
>> >> >> >>
>> >> >> >>O
gt;Parth
>> >> >> >>
>> >> >> >>On 4/15/15, 10:31 AM, "Michael Herstine"
>> >> >>
>> >>>>mailto:mherst...@linkedin.com.INVALID
>> >> >> ><mailto:mherst...@linkedin.com.INVALID>>
t the
> >>authorizer
> >> >> >>implementation, will that work? I guess what I’m asking is whether
> >> >> >>there’s any code in the Kafka codebase that will interpret that
> >>JSON,
> >> >>or
> >> >> >>does
gt;with
>> >> >>ranges or netmasks and it would be more scalable.
>> >> >>
>> >> >>Bosco
>> >> >>
>> >> >>
>> >> >>On 4/14/15, 1:40 PM, "Michael Herstine"
>> >>
>>>>mailto:mherst...@linkedin.com.INVALID
>> >> ><mailto:mherst...@linkedin.com.INVALID>>
>> >> >>wrote:
>> >> >>
>> >> >>Hi Parth,
>> >> >>
>> >> >>Sorry to chime in so late, but I’ve got a minor question on the
>>KIP.
>> >> >>
>> >> >>Several methods take a parameter named “host” of type String. Is
>>that
>> >> >>intended to be a hostname, or an IP address? If the former, I’m
>> >>curious
>> >> >>as
>> >> >>to how that’s found (in my experience, when accepting an incoming
>> >>socket
>> >> >>connection, you only know the IP address, and there isn’t a way to
>>map
>> >> >>that to a hostname without a round trip to a DNS server, which is
>> >> >>insecure
>> >> >>anyway).
>> >> >>
>> >> >>
>> >> >>On 3/25/15, 1:07 PM, "Parth Brahmbhatt"
>> >>
>> >>>>mailto:pbrahmbh...@hortonworks.com
>> >> >>>>:
>> >> pbrahmbh...@hortonworks.com>>
>> >> >>wrote:
>> >> >>
>> >> >>Hi all,
>> >> >>
>> >> >>I have modified the KIP to reflect the recent change request from
>>the
>> >> >>reviewers. I have been working on the code and I have the server
>>side
>> >> >>code
>> >> >>for authorization ready. I am now modifying the command line
>> >>utilities.
>> >> >>I
>> >> >>would really appreciate if some of the committers can spend
>>sometime
>> >>to
>> >> >>review the KIP so we can make progress on this.
>> >> >>
>> >> >>Thanks
>> >> >>Parth
>> >> >>
>> >> >>On 3/18/15, 2:20 PM, "Michael Herstine"
>> >>
>>>>mailto:mherst...@linkedin.com.INVALID
>> >> ><mailto:mherst...@linkedin.com.INVALID>>
>> >> >>wrote:
>> >> >>
>> >> >>Hi Parth,
>> >> >>
>> >> >>Thanks! A few questions:
>> >> >>
>> >> >>1. Do you want to permit rules in your ACLs that DENY access as
>>well
>> >>as
>> >> >>ALLOW? This can be handy setting up rules that have exceptions.
>>E.g.
>> >> >>“Allow principal P to READ resource R from all hosts” with “Deny
>> >> >>principal
>> >> >>P READ access to resource R from host H1” in combination would
>>allow P
>> >> >>to
>> >> >>READ R from all hosts *except* H1.
>> >> >>
>> >> >>2. When a topic is newly created, will there be an ACL created for
>>it?
>> >> >>If
>> >> >>not, would that not deny subsequent access to it?
>> >> >>
>> >> >>(nit) Maybe use Principal instead of String to represent
>>principals?
>> >> >>
>> >> >>
>> >> >>On 3/9/15, 11:48 AM, "Don Bosco Durai"
>> >>
>>>>mailto:bo...@apache.org><mailto:bo...@apache.org>>
>> >> wrote:
>> >> >>
>> >> >>Parth
>> >> >>
>> >> >>Overall it is looking good. Couple of questionsŠ
>> >> >>
>> >> >>- Can you give an example how the policies will look like in the
>> >> >>default
>> >> >>implementation?
>> >> >>- In the operations, can we support ³CONNECT² also? This can be
>>used
>> >> >>during Session connection
>> >> >>- Regarding access control for ³Topic Creation², since we can¹t do
>>it
>> >> >>on
>> >> >>the server side, can we de-scope it for? And plan it as a future
>> >> >>feature
>> >> >>request?
>> >> >>
>> >> >>Thanks
>> >> >>
>> >> >>Bosco
>> >> >>
>> >> >>
>> >> >>On 3/6/15, 8:10 AM, "Harsha"
>>mailto:ka...@harsha.io
>> >> ><mailto:ka...@harsha.io>>
>> >> >>wrote:
>> >> >>
>> >> >>Hi Parth,
>> >> >>Thanks for putting this together. Overall it looks good
>> >> >>to
>> >> >>me. Although AdminUtils is a concern KIP-4 can
>>probably
>> >> >>fix
>> >> >>that part.
>> >> >>Thanks,
>> >> >>Harsha
>> >> >>
>> >> >>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
>> >> >>Forgot to add links to wiki and jira.
>> >> >>Link to wiki:
>> >>
>>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authoriza
>> >> >>t
>> >> >>i
>> >> >>o
>> >> >>n
>> >> >>+
>> >> >>Interface
>> >> >>Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
>> >> >>Thanks
>> >> >>Parth
>> >> >>From: Parth Brahmbhatt
>> >>
>> >>>>mailto:pbrahmbh...@hortonworks.com
>> >> >>>>:
>> >> pbrahmbh...@hortonworks.com>> >> >>b
>> >> >>rahmbh...@hortonworks.com<mailto:rahmbh...@hortonworks.com>>>
>> >> >>Date: Thursday, March 5, 2015 at 10:33 AM
>> >> >>To:
>> >> >>"dev@kafka.apache.org<mailto:dev@kafka.apache.org>> >> dev@kafka.apache.org><mailto:dev@kafka.apach
>> >> >>e
>> >> >>.org>"
>> >> >>mailto:dev@kafka.apache.org>> >> dev@kafka.apache.org><mailto:dev@kafka.apach
>> >> >>e
>> >> >>.org>>
>> >> >>Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>> >> >>Hi,
>> >> >>KIP-11 is open for discussion , I have updated the wiki with the
>> >> >>design
>> >> >>and open questions.
>> >> >>Thanks
>> >> >>Parth
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >>
>> >> >
>> >>
>> >>
>> >>
>>
>>
>>>
>>>Overall it is looking good. Couple of questionsŠ
>>>
>>>- Can you give an example how the policies will look like in the
>>>default
>>>implementation?
>>>- In the operations, can we support ³CONNECT² also? This can be used
>>>during Session connection
>>>- Regarding access control for ³Topic Creation², since we can¹t do it
>>>on
>>>the server side, can we de-scope it for? And plan it as a future
>>>feature
>>>request?
>>>
>>>Thanks
>>>
>>>Bosco
>>>
>>>
>>>On 3/6/15, 8:10 AM, "Harsha" mailto:ka...@harsha.io>>
>>>wrote:
>>>
>>>Hi Parth,
>>>Thanks for putting this together. Overall it looks good
>>>to
>>>me. Although AdminUtils is a concern KIP-4 can probably
>>>fix
>>>that part.
>>>Thanks,
>>>Harsha
>>>
>>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
>>>Forgot to add links to wiki and jira.
>>>Link to wiki:
>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authoriza
>>>t
>>>i
>>>o
>>>n
>>>+
>>>Interface
>>>Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
>>>Thanks
>>>Parth
>>>From: Parth Brahmbhatt
>>>mailto:pbrahmbh...@hortonworks.com>>>p
>>>b
>>>rahmbh...@hortonworks.com>>
>>>Date: Thursday, March 5, 2015 at 10:33 AM
>>>To:
>>>"dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto:d...@kafka.apac
>>>h
>>>e
>>>.org>"
>>>mailto:dev@kafka.apache.org><mailto:d...@kafka.apac
>>>h
>>>e
>>>.org>>
>>>Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>>>Hi,
>>>KIP-11 is open for discussion , I have updated the wiki with the
>>>design
>>>and open questions.
>>>Thanks
>>>Parth
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
M, "Don Bosco Durai"
>>>mailto:bo...@apache.org>> wrote:
>>>
>>>Parth
>>>
>>>Overall it is looking good. Couple of questionsŠ
>>>
>>>- Can you give an example how the policies will look like in the
>>>default
&g
t; >> >>connection, you only know the IP address, and there isn’t a way to map
> >> >>that to a hostname without a round trip to a DNS server, which is
> >> >>insecure
> >> >>anyway).
> >> >>
> >> >>
> >> &
code and I have the server side
>> >>code
>> >>for authorization ready. I am now modifying the command line
>>utilities.
>> >>I
>> >>would really appreciate if some of the committers can spend sometime
>>to
>> >>review the KIP s
y created, will there be an ACL created for it?
> >>If
> >>not, would that not deny subsequent access to it?
> >>
> >>(nit) Maybe use Principal instead of String to represent principals?
> >>
> >>
> >>On 3/9/15, 11:48 AM, "Don Bo
as a future
>>feature
>>request?
>>
>>Thanks
>>
>>Bosco
>>
>>
>>On 3/6/15, 8:10 AM, "Harsha"
>>mailto:ka...@harsha.io><mailto:ka...@harsha.io>>
>>wrote:
>>
>>Hi Parth,
>>Thanks
gt; >>default
> >>implementation?
> >>- In the operations, can we support ³CONNECT² also? This can be used
> >>during Session connection
> >>- Regarding access control for ³Topic Creation², since we can¹t do it
> >>on
> >>the server side, can we de-scope it for? And plan it as a future
> >>feature
> >>request?
> >>
> >>Thanks
> >>
> >>Bosco
> >>
> >>
> >>On 3/6/15, 8:10 AM, "Harsha" mailto:ka...@harsha.io>>
> >>wrote:
> >>
> >>Hi Parth,
> >>Thanks for putting this together. Overall it looks good
> >>to
> >>me. Although AdminUtils is a concern KIP-4 can probably
> >>fix
> >>that part.
> >>Thanks,
> >>Harsha
> >>
> >>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
> >>Forgot to add links to wiki and jira.
> >>Link to wiki:
> >>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authoriza
> >>t
> >>i
> >>o
> >>n
> >>+
> >>Interface
> >>Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
> >>Thanks
> >>Parth
> >>From: Parth Brahmbhatt
> >>mailto:pbrahmbh...@hortonworks.com> >>b
> >>rahmbh...@hortonworks.com>>
> >>Date: Thursday, March 5, 2015 at 10:33 AM
> >>To:
> >>"dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto:dev@kafka.apach
> >>e
> >>.org>"
> >>mailto:dev@kafka.apache.org><mailto:dev@kafka.apach
> >>e
> >>.org>>
> >>Subject: [DISCUSS] KIP-11- Authorization design for kafka security
> >>Hi,
> >>KIP-11 is open for discussion , I have updated the wiki with the
> >>design
> >>and open questions.
> >>Thanks
> >>Parth
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >
>
;>Thanks
>>
>>Bosco
>>
>>
>>On 3/6/15, 8:10 AM, "Harsha" mailto:ka...@harsha.io>>
>>wrote:
>>
>>Hi Parth,
>>Thanks for putting this together. Overall it looks good
>>to
>>me. Although AdminUtils is a concern KIP-4 can probably
>>fix
>>that part.
>>Thanks,
>>Harsha
>>
>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
>>Forgot to add links to wiki and jira.
>>Link to wiki:
>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authoriza
>>t
>>i
>>o
>>n
>>+
>>Interface
>>Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
>>Thanks
>>Parth
>>From: Parth Brahmbhatt
>>mailto:pbrahmbh...@hortonworks.com>>b
>>rahmbh...@hortonworks.com>>
>>Date: Thursday, March 5, 2015 at 10:33 AM
>>To:
>>"dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto:dev@kafka.apach
>>e
>>.org>"
>>mailto:dev@kafka.apache.org><mailto:dev@kafka.apach
>>e
>>.org>>
>>Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>>Hi,
>>KIP-11 is open for discussion , I have updated the wiki with the
>>design
>>and open questions.
>>Thanks
>>Parth
>>
>>
>>
>>
>>
>>
>>
>>
>>
>
. Although AdminUtils is a concern KIP-4 can probably
>fix
>that part.
>Thanks,
>Harsha
>
>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
>Forgot to add links to wiki and jira.
>Link to wiki:
>https://cwiki.apache.org/confluence/display/KAFKA/KIP
ing good. Couple of questionsŠ
>>>
>>> - Can you give an example how the policies will look like in the
>>> default
>>> implementation?
>>> - In the operations, can we support ³CONNECT² also? This can be used
>>> during Session connection
>
t; the server side, can we de-scope it for? And plan it as a future
>> feature
>> request?
>>
>> Thanks
>>
>> Bosco
>>
>>
>> On 3/6/15, 8:10 AM, "Harsha" mailto:ka...@harsha.io>>
>wrote:
>>
>> Hi Parth,
>>
wiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authoriza
> t
> i
> o
> n
> +
> Interface
> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
> Thanks
> Parth
> From: Parth Brahmbhatt
>
mailto:pbrahmbh...@hortonworks.com><mailto:pbrahmbh...@hortonworks.com>>
> Date: Thursday, March 5, 2015 at 10:33 AM
> To:
"dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto:dev@kafka.apache.org>"
>
mailto:dev@kafka.apache.org><mailto:dev@kafka.apache.org>>
> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
> Hi,
> KIP-11 is open for discussion , I have updated the wiki with the
> design
> and open questions.
> Thanks
> Parth
>
>
>
>
>
>
>
>
>
te:
>>>>>
>>>>>>Hi Parth,
>>>>>>Thanks for putting this together. Overall it looks good
>>>>>>to
>>>>>>me. Although AdminUtils is a concern KIP-4 can probably
>>>>>>fix
>>>>>>that part.
>>>>>>Thanks,
>>>>>>Harsha
>>>>>>
>>>>>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
>>>>>>> Forgot to add links to wiki and jira.
>>>>>>>
>>>>>>> Link to wiki:
>>>>>>>
>>>>>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authoriza
>>>>>>>t
>>>>>>>i
>>>>>>>o
>>>>>>>n
>>>>>>>+
>>>>>>>Interface
>>>>>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
>>>>>>>
>>>>>>> Thanks
>>>>>>> Parth
>>>>>>>
>>>>>>> From: Parth Brahmbhatt
>>>>>>> mailto:pbrahmbh...@hortonworks.com>>
>>>>>>> Date: Thursday, March 5, 2015 at 10:33 AM
>>>>>>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>>>>>>> mailto:dev@kafka.apache.org>>
>>>>>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> KIP-11 is open for discussion , I have updated the wiki with the
>>>>>>>design
>>>>>>> and open questions.
>>>>>>>
>>>>>>> Thanks
>>>>>>> Parth
>>>>>
>>>>>
>>>>
>>>
>>
>
>
o:
"dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto:dev@kafka.apache.org>"
mailto:dev@kafka.apache.org><mailto:dev@kafka.apache.org>>
Subject: [DISCUSS] KIP-11- Authorization design for kafka security
Hi,
KIP-11 is open for discussion , I have updated the wiki with the
design
and open questions.
Thanks
Parth
;>>
>>>>>Bosco
>>>>>
>>>>>
>>>>>
>>>>>On 3/6/15, 8:10 AM, "Harsha" wrote:
>>>>>
>>>>>>Hi Parth,
>>>>>>Thanks for putting this together. Overall it
t;>>me. Although AdminUtils is a concern KIP-4 can probably
>>>>>fix
>>>>> that part.
>>>>>Thanks,
>>>>>Harsha
>>>>>
>>>>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
>>>>>> Forgot to add links to wiki and jira.
>>>>>>
>>>>>> Link to wiki:
>>>>>>
>>>>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizat
>>>>>>i
>>>>>>o
>>>>>>n
>>>>>>+
>>>>>>Interface
>>>>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
>>>>>>
>>>>>> Thanks
>>>>>> Parth
>>>>>>
>>>>>> From: Parth Brahmbhatt
>>>>>> mailto:pbrahmbh...@hortonworks.com>>
>>>>>> Date: Thursday, March 5, 2015 at 10:33 AM
>>>>>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>>>>>> mailto:dev@kafka.apache.org>>
>>>>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> KIP-11 is open for discussion , I have updated the wiki with the
>>>>>>design
>>>>>> and open questions.
>>>>>>
>>>>>> Thanks
>>>>>> Parth
>>>>
>>>>
>>>
>>
>
>>that part.
>>>>Thanks,
>>>>Harsha
>>>>
>>>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
>>>>> Forgot to add links to wiki and jira.
>>>>>
>>>>> Link to wiki:
>>>>>
t;Thanks
> >>
> >>Bosco
> >>
> >>
> >>
> >>On 3/6/15, 8:10 AM, "Harsha" mailto:ka...@harsha.io
> ><mailto:ka...@harsha.io>>
> wrote:
> >>
> >>>Hi Parth,
> >>>Thanks for putti
reviewers. I have been working on the code and I have the server side
>>>>code
>>>> for authorization ready. I am now modifying the command line
>>>>utilities.
>>>>I
>>>> would really appreciate if some of the committers can spend sometime
&
io
>>>>n
>>>>+
>>>>Interface
>>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
>>>>
>>>> Thanks
>>>> Parth
>>>>
>>>> From: Parth Brahmbhatt
>>>> mailto:pbrahmbh...@hortonworks.com><mailto:pbrahmbh...@hortonworks.com
><mailto:pbrahmbh...@hortonworks.com>>
>>>> Date: Thursday, March 5, 2015 at 10:33 AM
>>>> To:
>>>> "dev@kafka.apache.org<mailto:dev@kafka.apache.org><mailto:dev@kafka.apache.org>mailto:dev@kafka.apache.org>>"
>>>> mailto:dev@kafka.apache.org><mailto:dev@kafka.apache.org>mailto:dev@kafka.apache.org>>>
>>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>>>>
>>>> Hi,
>>>>
>>>> KIP-11 is open for discussion , I have updated the wiki with the
>>>>design
>>>> and open questions.
>>>>
>>>> Thanks
>>>> Parth
>>
>>
>
--
Thanks,
Neha
ers. I have been working on the code and I have the server side
>>>>code
>>>> for authorization ready. I am now modifying the command line
>>>>utilities.
>>>>I
>>>> would really appreciate if some of the committers can spend someti
e:
>>>>
>>>> Hi all,
>>>>
>>>> I have modified the KIP to reflect the recent change request from the
>>>> reviewers. I have been working on the code and I have the server side
>>>>code
>>>> for authorization ready. I am now mo
gt;1. Do you want to permit rules in your ACLs that DENY access as well as
>>> >ALLOW? This can be handy setting up rules that have exceptions. E.g.
>>> >“Allow principal P to READ resource R from all hosts” with “Deny
>>>principal
>>> >P READ access to resourc
principals?
>> >
>> >
>> >On 3/9/15, 11:48 AM, "Don Bosco Durai" > bo...@apache.org>> wrote:
>> >
>> >>Parth
>> >>
>> >>Overall it is looking good. Couple of questionsŠ
>> >>
>> >>- Can you
AM, "Harsha" mailto:ka...@harsha.io>>
> wrote:
> >>
> >>>Hi Parth,
> >>>Thanks for putting this together. Overall it looks good to
> >>>me. Although AdminUtils is a concern KIP-4 can probably fix
> >>>that part.
> >>>Thanks,
> >>>Harsha
> >>>
> >>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
> >>>> Forgot to add links to wiki and jira.
> >>>>
> >>>> Link to wiki:
> >>>>
> >>>>
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizatio
> >>>>n
> >>>>+
> >>>>Interface
> >>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
> >>>>
> >>>> Thanks
> >>>> Parth
> >>>>
> >>>> From: Parth Brahmbhatt
> >>>> mailto:pbrahmbh...@hortonworks.com
> ><mailto:pbrahmbh...@hortonworks.com>>
> >>>> Date: Thursday, March 5, 2015 at 10:33 AM
> >>>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org> dev@kafka.apache.org>"
> >>>> mailto:dev@kafka.apache.org> dev@kafka.apache.org>>
> >>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
> >>>>
> >>>> Hi,
> >>>>
> >>>> KIP-11 is open for discussion , I have updated the wiki with the
> >>>>design
> >>>> and open questions.
> >>>>
> >>>> Thanks
> >>>> Parth
> >>
> >>
> >
>
>
>
>
> --
> Thanks,
> Neha
>
>
gt;>>>
>>>>
https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizatio
>>>>n
>>>>+
>>>>Interface
>>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
>>>>
>>>> Thanks
>
anks for putting this together. Overall it looks good to
>> >>>me. Although AdminUtils is a concern KIP-4 can probably fix
>> >>> that part.
>> >>>Thanks,
>> >>>Harsha
>> >>>
>> >>>On Thu, Mar
; >>>that part.
> >>>Thanks,
> >>>Harsha
> >>>
> >>>On Thu, Mar 5, 2015, at 10:39 AM, Parth Brahmbhatt wrote:
> >>>> Forgot to add links to wiki and jira.
> >>>>
> >>>> Link to wiki:
> >&g
> Forgot to add links to wiki and jira.
>>>>
>>>> Link to wiki:
>>>>
>>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizatio
>>>>n
>>>>+
>>>>Interface
>>>> Link to Jira: https://issues
;
>>>> Link to wiki:
>>>>
>>>>https://cwiki.apache.org/confluence/display/KAFKA/KIP-11+-+Authorizatio
>>>>n
>>>>+
>>>>Interface
>>>> Link to Jira: https://issues.apache.org/jira/browse/KAFKA-1688
>>>>
gt;> Thanks
>>> Parth
>>>
>>> From: Parth Brahmbhatt
>>> mailto:pbrahmbh...@hortonworks.com>>
>>> Date: Thursday, March 5, 2015 at 10:33 AM
>>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>>> mailto:dev@kafka.apache.org>>
>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>>>
>>> Hi,
>>>
>>> KIP-11 is open for discussion , I have updated the wiki with the design
>>> and open questions.
>>>
>>> Thanks
>>> Parth
>
>
wse/KAFKA-1688
>>>
>>> Thanks
>>> Parth
>>>
>>> From: Parth Brahmbhatt
>>> mailto:pbrahmbh...@hortonworks.com>>
>>> Date: Thursday, March 5, 2015 at 10:33 AM
>>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>>> mailto:dev@kafka.apache.org>>
>>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>>>
>>> Hi,
>>>
>>> KIP-11 is open for discussion , I have updated the wiki with the design
>>> and open questions.
>>>
>>> Thanks
>>> Parth
>
>
AM
>> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
>> mailto:dev@kafka.apache.org>>
>> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>>
>> Hi,
>>
>> KIP-11 is open for discussion , I have updated the wiki with the design
>> and open questions.
>>
>> Thanks
>> Parth
: Thursday, March 5, 2015 at 10:33 AM
> To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
> mailto:dev@kafka.apache.org>>
> Subject: [DISCUSS] KIP-11- Authorization design for kafka security
>
> Hi,
>
> KIP-11 is open for discussion , I have updated the wiki with the design
> and open questions.
>
> Thanks
> Parth
March 5, 2015 at 10:33 AM
To: "dev@kafka.apache.org<mailto:dev@kafka.apache.org>"
mailto:dev@kafka.apache.org>>
Subject: [DISCUSS] KIP-11- Authorization design for kafka security
Hi,
KIP-11 is open for discussion , I have updated the wiki with the design and
open questions.
Thanks
Parth
Hi,
KIP-11 is open for discussion , I have updated the wiki with the design and
open questions.
Thanks
Parth
64 matches
Mail list logo
