You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Ismael Juma <is...@juma.me.uk> on 2016/12/01 16:32:29 UTC

Re: [VOTE] KIP-85: Dynamic JAAS configuration for Kafka clients

Thanks for explaining your reasoning, Rajini. I do agree with all of it and
that's why I voted +1. :)

The reason for my comment was to highlight some of the areas that can be
improved in case someone has the time and interest. The Kerberos situation
is the obvious one, but one could also imagine flattening the JAAS format
into the properties format. That would make it easier for people who want
to provide a single properties file and it would be more consistent with
other properties. I haven't worked out all the details, so there may be
reasons why it doesn't work, but it's an interesting avenue to explore I
think.

Ismael

On Mon, Nov 28, 2016 at 3:29 PM, Rajini Sivaram <
rajinisivaram@googlemail.com> wrote:

> Ismael,
>
> Thank you for reviewing the KIP. I do agree that JAAS config format is not
> ideal. But I wanted to solve the generic configuration issue (need for
> physical file, single static config) for any SASL mechanism in an
> extensible, future-proof way. And that requires the ability to configure
> all the properties currently configured using the JAAS config file - login
> module and all its options. It didn't make sense to define a new format to
> do this when JAAS is supported by Kafka.
>
> Kerberos is a very special case. Unlike other mechanisms, I imagine all
> users of Kerberos use the login module included in the JRE. And these
> modules happen to use different options depending on the vendor. I am not
> very familiar with the Hadoop codebase, but it looks like Hadoop contains
> code that abstracts out Kerberos options so that it works with any JRE.
> This KIP does not preclude better handling for Kerberos in future.
>
> For other mechanisms like PLAIN, we want the login module to be pluggable.
> And that means the options need to be extensible. Here JAAS config enables
> a format that is consistent with the jaas config file, but without the
> current limitations.
>
>
> On Mon, Nov 28, 2016 at 1:00 PM, Ismael Juma <is...@juma.me.uk> wrote:
>
> > I'm very late to this, but better late than never, I guess. I am +1 on
> this
> > because it improves on the status quo, satisfies a real need and is
> simple
> > to implement.
> >
> > Having said that, I'd also like to state that it's a bit of a shame that
> we
> > are doubling down on the JAAS config format. It is a peculiar format and
> in
> > the Kerberos case (one of the common usages), it requires users to
> provide
> > different configs depending on the Java implementation being used. It
> would
> > be nice if we looked into abstracting some of this to make users' lives
> > easier. Looking at the Hadoop codebase, it looks like they try to do that
> > although I don't know how well it worked out in practice.
> >
> > Ismael
> >
> > On Tue, Nov 1, 2016 at 1:42 PM, Rajini Sivaram <
> > rajinisivaram@googlemail.com
> > > wrote:
> >
> > > KIP-85 vote has passed with 4 binding (Harsha, Gwen, Jason, Jun) and 4
> > > non-binding (Mickael, Jim, Edo, me) votes.
> > >
> > > Thank you all for your votes and comments. I will update the KIP page
> and
> > > rebase the PR.
> > >
> > > Many thanks,
> > >
> > > Rajini
> > >
> > >
> > >
> > > On Mon, Oct 31, 2016 at 11:29 AM, Edoardo Comar <EC...@uk.ibm.com>
> > wrote:
> > >
> > > > +1 great KIP
> > > > --------------------------------------------------
> > > > Edoardo Comar
> > > > IBM MessageHub
> > > > ecomar@uk.ibm.com
> > > > IBM UK Ltd, Hursley Park, SO21 2JN
> > > >
> > > > IBM United Kingdom Limited Registered in England and Wales with
> number
> > > > 741598 Registered office: PO Box 41, North Harbour, Portsmouth,
> Hants.
> > > PO6
> > > > 3AU
> > > >
> > > >
> > > >
> > > > From:   Rajini Sivaram <ra...@googlemail.com>
> > > > To:     dev@kafka.apache.org
> > > > Date:   26/10/2016 16:27
> > > > Subject:        [VOTE] KIP-85: Dynamic JAAS configuration for Kafka
> > > > clients
> > > >
> > > >
> > > >
> > > > I would like to initiate the voting process for KIP-85: Dynamic JAAS
> > > > configuration for Kafka Clients:
> > > >
> > > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-
> > > 85%3A+Dynamic+JAAS+
> > > > configuration+for+Kafka+clients
> > > >
> > > >
> > > > This KIP enables Java clients to connect to Kafka using SASL without
> a
> > > > physical jaas.conf file. This will also be useful to configure
> multiple
> > > > KafkaClient login contexts when multiple users are supported within a
> > > JVM.
> > > >
> > > > Thank you...
> > > >
> > > > Regards,
> > > >
> > > > Rajini
> > > >
> > > >
> > > >
> > > > Unless stated otherwise above:
> > > > IBM United Kingdom Limited - Registered in England and Wales with
> > number
> > > > 741598.
> > > > Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire
> PO6
> > > 3AU
> > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Rajini
> > >
> >
>
>
>
> --
> Regards,
>
> Rajini
>