Re: [DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

Thanks Damian. I chatted with Ashish offline and he will check the possibility an API (similar to Hadoop's credential store), but warned that since it is a more complex change, he may not get to it immediately. Gwen On Sat, Aug 27, 2016 at 6:59 AM, Damian Guy wrote: > I'm in agreement with Gwen.

Re: [DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

Thanks Ismael, I created the child page but forgot the add it to the table... I re-numbered "Join Semantics" to KIP-77. Sorry for the confusion. -Matthias On 08/27/2016 01:01 PM, Ismael Juma wrote: > Hi Matthias, > > Improve Kafka Streams Join Semantics is not mentioned on the KIP page and > t

Re: [DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

I'm in agreement with Gwen. An API would be a better solution. Running executables from Kafka is dangerous. On Sat, 27 Aug 2016 at 12:02, Ismael Juma wrote: > Hi Matthias, > > Improve Kafka Streams Join Semantics is not mentioned on the KIP page and > that is probably the source of confusion: > >

Re: [DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

Hi Matthias, Improve Kafka Streams Join Semantics is not mentioned on the KIP page and that is probably the source of confusion: https://cwiki.apache.org/confluence/display/KAFKA/ Kafka+Improvement+Proposals Ismael On Thu, Aug 25, 2016 at 10:44 PM, Matthias J. Sax wrote: > I guess this should

Re: [DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

I guess this should be KIP-77 ? KIP-76 is "Improve Kafka Streams Join Semantics" See http://search-hadoop.com/m/uyzND19SmQJ1yfCQ42/v=plain -Matthias On 08/25/2016 10:13 PM, Ashish Singh wrote: > Hey Gwen, > > You’re right that if someone can alter the executable then they can do > things in th

Re: [DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

Hey Gwen, You’re right that if someone can alter the executable then they can do things in the context of the thing running the script, like kafka. But if you were kafka admin user (or root), you could also do lots of things to lots of other different files owned by the user, so it’s not really th

Re: [DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

Hi Ashish, I appreciate the need to integrate our authentication with other systems that store passwords. I am not sure that doing so by running a binary is the best solution. First, it does not add security: As you said, a file is just "sitting there" the same way an executable is just "sitting

Re: [DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

+1 (non-binding) Thanks, Bharat On Wed, Aug 24, 2016 at 12:03 PM, Ashish Singh wrote: > Hey Guys, > > I’ve just posted KIP-76: Enable getting password from executable rather > than passing as plaintext in config files > 76+Enable+gettin

[DISCUSS] KIP-76: Enable getting password from executable rather than passing as plaintext in config files

Hey Guys, I’ve just posted KIP-76: Enable getting password from executable rather than passing as plaintext in config files . The proposal is to enab