Versions Compared

Old Version 51

changes.mady.by.user Parth

Saved on

compared with

New Version 52

changes.mady.by.user Parth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • What should be the default behavior for scenarios like "no acls found" which will be the case for all topics created before security release? Generally in secure setups the de-facto behavior is to fail close but this forces users to add an "Allow everyone from all hosts" acl to all of their existing topics. 
  • What should be the storage for out of box Authorizer implementation? Zookeeper seems like a good fit here as acls seldom change and we can have a caching layer with TTL of 1 hour. Jun has suggested to use topic (just like we use it for consumer offset storage) which will allow mirror maker to replicate acls without any changes however this means for any custom authorizer the acls will not be replicated by mirror maker. It might be better to update mirror maker to explicitly use getAcls and addAcls API so Acls are replicated no matter what authorizer implementation is chosen.
  • Do we want to modify the existing CLI with all the acl options? or just create a new acl management CLI?
  • Do we want to support Deny as a permissionType? This adds support for complex acls like "allow access to user1 from all hosts but host1,host2" at the expense of simplicity. I don't think anyone feels about keeping/removing this strongly so will be great to make a quick decision. 
  • Do we want 1:1 mapping from Operation to API or a categorization as listed above? If we decide to go with a 1:1 mapping I think it is better to make it an open string instead of an enum. 
  • Do we want to support authorization of KafkaAdminUtil operation? In absence of any alternative approach we are currently leaning to defer design and implementation for this to a future release after KIP-4 is merged into trunk.What does acls on zookeeper node look like given all our admin APIs are currently performed directly from client? Any plans of moving to curator? The current library uses zookeeper version 3.3 which was released in 2010 so its pretty old. Zookeeper did not add sasl support until version 4.0 so to use any sasl feature we will have to upgrade that library to a 4.X version.I have submitted a PR https://github.com/sgroschupf/zkclient/pull/31 but I think it is better to move to a more mature library like curator which is being actively maintained. 
  • Do we want to support group acls as part of this authorizer? 

...