You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Tong Li (JIRA)" <ji...@apache.org> on 2015/01/30 22:55:34 UTC
[jira] [Comment Edited] (KAFKA-1810) Add IP Filtering /
Whitelists-Blacklists
[ https://issues.apache.org/jira/browse/KAFKA-1810?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14299202#comment-14299202 ]
Tong Li edited comment on KAFKA-1810 at 1/30/15 9:55 PM:
---------------------------------------------------------
rather than add specific security measures, can we add some kind of plugin point so that any plugins can be configured to do that type of work. Either it is a IP filter or certificate filter or basic authentication filter we can simply enable these plugins according to our own needs. This way, kafka only provide the plugin point, nothing else, how the plugin gets developed , performs, are not really the concern of the kafka community, we can have a clear separation of concerns. This has been done in many other successful projects, new to kafka, just saying we can do some thing like middle ware (in python term) or servlet filter in java world. The point of doing this is to have the security measure become a configuration matter. One can choose any available plugins appropriate for their own purposes by changing configurations.
was (Author: tongli):
rather than add specific security measures, can we add some kind of plugin point so that any plugins can be configured to do that type of work. Either it is a IP filter or certificate filter or basic authentication filter we can simply enable these plugins according to our own needs. This way, kafka only provide the plugin point, nothing else, how the plugin gets developed , performs, are not really the concern of the kafka community, we can have a clear separation of concerns. This has been done in many other successful projects, new to kafka, just saying we can do some thing like middle ware (in python term) or servlet filter in java world.
> Add IP Filtering / Whitelists-Blacklists
> -----------------------------------------
>
> Key: KAFKA-1810
> URL: https://issues.apache.org/jira/browse/KAFKA-1810
> Project: Kafka
> Issue Type: New Feature
> Components: core, network, security
> Reporter: Jeff Holoman
> Assignee: Jeff Holoman
> Priority: Minor
> Fix For: 0.8.3
>
> Attachments: KAFKA-1810.patch, KAFKA-1810_2015-01-15_19:47:14.patch
>
>
> While longer-term goals of security in Kafka are on the roadmap there exists some value for the ability to restrict connection to Kafka brokers based on IP address. This is not intended as a replacement for security but more of a precaution against misconfiguration and to provide some level of control to Kafka administrators about who is reading/writing to their cluster.
> 1) In some organizations software administration vs o/s systems administration and network administration is disjointed and not well choreographed. Providing software administrators the ability to configure their platform relatively independently (after initial configuration) from Systems administrators is desirable.
> 2) Configuration and deployment is sometimes error prone and there are situations when test environments could erroneously read/write to production environments
> 3) An additional precaution against reading sensitive data is typically welcomed in most large enterprise deployments.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)