Table of Contents |
---|
Status
Current state: Under DiscussionNot Accepted <Closed>
Discussion thread: here
JIRA: KAFKA-1810
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
- Financial Services - Systems that contain PCI / PII such as addresses, credit cards numbers etc
- Healthcare - Patient information, HIPAA
- Any other sensitive information
- Protection against logical data corruption (eg. Dev writing to Prod or vice versa)
This type of functionality could also be enforced via network administration, (Network firewalls, IPTables etc) but often times there is a disconnect between the operators of the system and those network teams in large organizations. Giving (software/systems) administrators the ability to control their own environment independent of external groups would be beneficial.Another benefit would be preventing against accidental logical data corruption where QA or Dev environments might be erroneously configured to write to production environments or vice versa.
The broader security initiative will add more robust controls for these types of environments, and this proposal could be integrated with that work at the appropriate time. This is also the specific request of a large financial services company.
Public Interfaces
The changes proposed here do not affect public interfaces or otherwise interfere with backward compatibility
...
Two additional (optional) parameters would be added to the Kafka broker configuration.
security.ip.filter.rule.type
security.ip.filter.list
Proposed Changes
Administrators would list the type of filtering that they are implementing, either Whitelists - using the value "allow" or Blacklists - using the value "deny" and a list of IP Ranges represented in CIDR notation: http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.
...
The solution proposed calls for an additional class in the network package and an additional check in the acceptor thread, as mentioned above. Translation of the CIDR ranges into upper and lower boundaries happens on server startup so the overhead of checking this in the acceptor thread should be O(N) where N is the number of distinct ranges specified in the configuration. The actual comparison is done by converting the connection IP address into a BigInteger representation and comparing it with the upper and lower boundaries of each CIDR range. First match exits the lookup. The solution also supports IPv6 addresses (hence the need for BigInt vs Int).
...