THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
Table of Contents |
---|
Status
Current state: "Under DiscussionAccepted"
Discussion thread: here
JIRA: here
...
- Channel wrapper for TransportLayer and AuthenticationLayer providing necessary handshake and authentication methods and also read(ByteBuffer buf) , write(ByteBuffer buf), write(ByteBuffer[] buf).
- TransportLayer is an interface for network transportLayer.
- PlainTextTransportLayer provides plain text socket channel methods
- SSLTransportLayer providers provides ssl handshake and read/write methods.
- Authenticator is an interface to providing providing client/server authentication.
- SaslServerAuthenticationLayer implements AuthenticationLayer, provides provides authentication methods for server side.
- SaslClientAuthenticationLayer implements AuthenticationLayer, provides client side authentication.
- User: This class will be used to get the remoteUserId and add it to the Session Object (https://issues.apache.org/jira/browse/KAFKA-1683)
- KafkaPrincipalToLocalPlugin: This is a pluggable class with a default implementation which translates a kerberos principal which looks like "testuser/node1.test.com@EXAMPLE.COM" to "testuser". Users can provide a their own customized version of PrincipalToLocalPlugin.
- AuthUtils: This class will consists of any utilities needed for SASL and other auth related methods.
- KerberosLoginFactory: It will use jaas config to login and generates a subject.
- Protocol accepts the protocol type (PLAINTEXT, SSL , PLAINTEXT+SASL, SSL+SASL)
- PLAINTEXT (non-authenticated, non-encrypted)
- This channel will provide exact behavior for communication channels as previous releases
- This channel will provide exact behavior for communication channels as previous releases
- SSL
- SSL implementation. Authenticated principal in the session will be from the certificate presented or the peer host.
- SASL+PLAINTEXT
- SASL authentication will be used over plaintext channel. Once the sasl authentication established between client and server . Session will have client’s principal as authenticated user. There won’t be any wire encryption in this case as all the channel communication will be over plain text .
- SASL+SSL
SSL will be established initially and SASL authentication will be done over SSL. Once SASL authentication is established users principal will be used as authenticated user . This option is useful if users want to use SASL authentication ( for example kerberos ) with wire encryption.
- PLAINTEXT (non-authenticated, non-encrypted)
- SecurityConfig , a config file for provider SecurityProtocol, SSL config and SASL mechanisms.
- BlockingChannel interface changes as it accepts the Protocol to create appropriate channels.
...