You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jira@kafka.apache.org by "Tom Bentley (JIRA)" <ji...@apache.org> on 2017/06/19 13:02:00 UTC
[jira] [Commented] (KAFKA-4985) kafka-acls should resolve dns names
and accept ip ranges
[ https://issues.apache.org/jira/browse/KAFKA-4985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16053942#comment-16053942 ]
Tom Bentley commented on KAFKA-4985:
------------------------------------
> The problem with resolving hostnames client-side is that it would cause a lot of confusion when resolution happened differently client-side versus server-side.
That argument could be applied to practically any use of DNS, so I'm not convinced it makes a good reason not to do this.
> kafka-acls should resolve dns names and accept ip ranges
> --------------------------------------------------------
>
> Key: KAFKA-4985
> URL: https://issues.apache.org/jira/browse/KAFKA-4985
> Project: Kafka
> Issue Type: Improvement
> Components: security
> Reporter: Ryan P
>
> Per KAFKA-2869 it looks like a conscious decision was made to move away from using hostnames for authorization purposes.
> This is fine however IP addresses are terrible inconvenient compared to hostname with regard to configuring ACLs.
> I'd like to propose the following two improvements to make managing these ACLs easier for end-users.
> 1. Allow for simple patterns to be matched
> i.e --allow-host 10.17.81.11[1-9]
> 2. Allow for hostnames to be used even if they are resolved on the client side. Simple pattern matching on hostnames would be a welcome addition as well
> i.e. --allow-host host.name.com
> Accepting a comma delimited list of hostnames and ip addresses would also be helpful.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)