...
We will try to provide something simple out of the box.
Sequencing
Here is a proposed sequence of work
Phase 1: Prep
- Add session as communication mechanism between socket server and kafka api layer.
- Add SSL port to metadata request
Phase 2: Authentication
- Allow disabling sendfile for reads that need encryption or other integrity checks added
- Implement SSL
- Implement SASL
Phase 3: Authorization
- Implement PermissionManager interface and implement the "out of the box" implementation.
Open Questions
Do we need to separately model hosts? i.e. in addition to user do we need to pass into the authorization layer information about what host the access is coming from.
Likely we need a way to specify the minimum encryption/integrity level of a client that is allowed to read data. Likely we should define something generic like NONE < INTEGRITY < ENCRYPTED and allow the user to set a minimum level for each topic so you can guarantee a particular data stream never goes in the clear.
Out-of-scope Features
On disk and per-field encryption
...