You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@kafka.apache.org by tao xiao <xi...@gmail.com> on 2016/01/18 04:15:54 UTC
Support customized security protocol
Hi Kafka team,
I want to know if I can plug-in my own security protocol to Kafka to
implement project specific authentication mechanism. The current supported
authentication protocols, SASL/GSSAPI and SSL, are not supported in my
company and we have own security protocol to do authentication.
Is it a good idea to make ChannelBuilder extensible so that I can implement
it with my own security channel?
Re: Support customized security protocol
Posted by tao xiao <xi...@gmail.com>.
Thank you.
On Fri, 22 Jan 2016 at 08:39 Guozhang Wang <wa...@gmail.com> wrote:
> Done.
>
> On Thu, Jan 21, 2016 at 12:38 AM, tao xiao <xi...@gmail.com> wrote:
>
> > Hi Guozhang,
> >
> > Thanks for that.
> >
> > Can you please grant kevinth the write access too? He is my colleague and
> > both of us work on this topic now.
> >
> > On Wed, 20 Jan 2016 at 14:55 Guozhang Wang <wa...@gmail.com> wrote:
> >
> > > Tao,
> > >
> > > I have granted you the access.
> > >
> > > Guozhang
> > >
> > >
> > > On Tue, Jan 19, 2016 at 7:56 PM, Connie Yang <cy...@gmail.com>
> > > wrote:
> > >
> > > > @Ismael, what's the status of the SASL/PLAIN PR,
> > > > https://github.com/apache/kafka/pull/341?
> > > >
> > > >
> > > >
> > > > On Tue, Jan 19, 2016 at 6:25 PM, tao xiao <xi...@gmail.com>
> > wrote:
> > > >
> > > > > The PR provides a new SASL mech but it doesn't provide a pluggable
> > way
> > > to
> > > > > implement user's own logic to do authentication. So I don't think
> the
> > > PR
> > > > > will meet my need.
> > > > >
> > > > > I will write a KIP to open the discussion.
> > > > >
> > > > > p.s. Ismael, can you grant me the permission to create a KIP in
> Kafka
> > > > > space?
> > > > >
> > > > >
> > > > > On Wed, 20 Jan 2016 at 10:08 Ismael Juma <is...@juma.me.uk>
> wrote:
> > > > >
> > > > > > Hi Tao,
> > > > > >
> > > > > > The other way would be to implement a SASL provider:
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#PROV
> > > > > >
> > > > > > This would still require Kafka to be changed, some of the changes
> > are
> > > > in
> > > > > > the following PR:
> > > > > >
> > > > > > https://github.com/apache/kafka/pull/341
> > > > > >
> > > > > > As per the discussion in the PR above, a KIP is also required.
> > > > > >
> > > > > > Ismael
> > > > > >
> > > > > > On Wed, Jan 20, 2016 at 1:48 AM, tao xiao <xi...@gmail.com>
> > > > wrote:
> > > > > >
> > > > > > > Hi Ismael,
> > > > > > >
> > > > > > > BTW looks like I don't have the permission to add a KIP in
> Kafka
> > > > space.
> > > > > > Can
> > > > > > > you please grant me the permission?
> > > > > > >
> > > > > > > On Wed, 20 Jan 2016 at 09:40 tao xiao <xi...@gmail.com>
> > > wrote:
> > > > > > >
> > > > > > > > Hi Ismael,
> > > > > > > >
> > > > > > > > Thank you for your reply. I am happy to have a writeup on
> this.
> > > > > > > >
> > > > > > > > Can you think of any other ways to make security protocol
> > > pluggable
> > > > > > > > instead of extending ChannelBuilder?
> > > > > > > >
> > > > > > > > On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk>
> > > > wrote:
> > > > > > > >
> > > > > > > >> Hi Tao,
> > > > > > > >>
> > > > > > > >> As you say, security protocols are not currently pluggable.
> > > > > > > >> `ChannelBuilder` is already an interface, but
> > `SecurityProtocol`
> > > > is
> > > > > an
> > > > > > > >> enum, which makes it hard for users to add additional
> security
> > > > > > > protocols.
> > > > > > > >> Changing this would probably require a KIP:
> > > > > > > >>
> > > > > > > >>
> > > > > > > >>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
> > > > > > > >>
> > > > > > > >> Ismael
> > > > > > > >>
> > > > > > > >> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <
> > xiaotao183@gmail.com
> > > >
> > > > > > wrote:
> > > > > > > >>
> > > > > > > >> > Hi Kafka team,
> > > > > > > >> >
> > > > > > > >> > I want to know if I can plug-in my own security protocol
> to
> > > > Kafka
> > > > > to
> > > > > > > >> > implement project specific authentication mechanism. The
> > > current
> > > > > > > >> supported
> > > > > > > >> > authentication protocols, SASL/GSSAPI and SSL, are not
> > > supported
> > > > > in
> > > > > > my
> > > > > > > >> > company and we have own security protocol to do
> > > authentication.
> > > > > > > >> >
> > > > > > > >> > Is it a good idea to make ChannelBuilder extensible so
> that
> > I
> > > > can
> > > > > > > >> implement
> > > > > > > >> > it with my own security channel?
> > > > > > > >> >
> > > > > > > >>
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > -- Guozhang
> > >
> >
>
>
>
> --
> -- Guozhang
>
Re: Support customized security protocol
Posted by Guozhang Wang <wa...@gmail.com>.
Done.
On Thu, Jan 21, 2016 at 12:38 AM, tao xiao <xi...@gmail.com> wrote:
> Hi Guozhang,
>
> Thanks for that.
>
> Can you please grant kevinth the write access too? He is my colleague and
> both of us work on this topic now.
>
> On Wed, 20 Jan 2016 at 14:55 Guozhang Wang <wa...@gmail.com> wrote:
>
> > Tao,
> >
> > I have granted you the access.
> >
> > Guozhang
> >
> >
> > On Tue, Jan 19, 2016 at 7:56 PM, Connie Yang <cy...@gmail.com>
> > wrote:
> >
> > > @Ismael, what's the status of the SASL/PLAIN PR,
> > > https://github.com/apache/kafka/pull/341?
> > >
> > >
> > >
> > > On Tue, Jan 19, 2016 at 6:25 PM, tao xiao <xi...@gmail.com>
> wrote:
> > >
> > > > The PR provides a new SASL mech but it doesn't provide a pluggable
> way
> > to
> > > > implement user's own logic to do authentication. So I don't think the
> > PR
> > > > will meet my need.
> > > >
> > > > I will write a KIP to open the discussion.
> > > >
> > > > p.s. Ismael, can you grant me the permission to create a KIP in Kafka
> > > > space?
> > > >
> > > >
> > > > On Wed, 20 Jan 2016 at 10:08 Ismael Juma <is...@juma.me.uk> wrote:
> > > >
> > > > > Hi Tao,
> > > > >
> > > > > The other way would be to implement a SASL provider:
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#PROV
> > > > >
> > > > > This would still require Kafka to be changed, some of the changes
> are
> > > in
> > > > > the following PR:
> > > > >
> > > > > https://github.com/apache/kafka/pull/341
> > > > >
> > > > > As per the discussion in the PR above, a KIP is also required.
> > > > >
> > > > > Ismael
> > > > >
> > > > > On Wed, Jan 20, 2016 at 1:48 AM, tao xiao <xi...@gmail.com>
> > > wrote:
> > > > >
> > > > > > Hi Ismael,
> > > > > >
> > > > > > BTW looks like I don't have the permission to add a KIP in Kafka
> > > space.
> > > > > Can
> > > > > > you please grant me the permission?
> > > > > >
> > > > > > On Wed, 20 Jan 2016 at 09:40 tao xiao <xi...@gmail.com>
> > wrote:
> > > > > >
> > > > > > > Hi Ismael,
> > > > > > >
> > > > > > > Thank you for your reply. I am happy to have a writeup on this.
> > > > > > >
> > > > > > > Can you think of any other ways to make security protocol
> > pluggable
> > > > > > > instead of extending ChannelBuilder?
> > > > > > >
> > > > > > > On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk>
> > > wrote:
> > > > > > >
> > > > > > >> Hi Tao,
> > > > > > >>
> > > > > > >> As you say, security protocols are not currently pluggable.
> > > > > > >> `ChannelBuilder` is already an interface, but
> `SecurityProtocol`
> > > is
> > > > an
> > > > > > >> enum, which makes it hard for users to add additional security
> > > > > > protocols.
> > > > > > >> Changing this would probably require a KIP:
> > > > > > >>
> > > > > > >>
> > > > > > >>
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
> > > > > > >>
> > > > > > >> Ismael
> > > > > > >>
> > > > > > >> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <
> xiaotao183@gmail.com
> > >
> > > > > wrote:
> > > > > > >>
> > > > > > >> > Hi Kafka team,
> > > > > > >> >
> > > > > > >> > I want to know if I can plug-in my own security protocol to
> > > Kafka
> > > > to
> > > > > > >> > implement project specific authentication mechanism. The
> > current
> > > > > > >> supported
> > > > > > >> > authentication protocols, SASL/GSSAPI and SSL, are not
> > supported
> > > > in
> > > > > my
> > > > > > >> > company and we have own security protocol to do
> > authentication.
> > > > > > >> >
> > > > > > >> > Is it a good idea to make ChannelBuilder extensible so that
> I
> > > can
> > > > > > >> implement
> > > > > > >> > it with my own security channel?
> > > > > > >> >
> > > > > > >>
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > -- Guozhang
> >
>
--
-- Guozhang
Re: Support customized security protocol
Posted by tao xiao <xi...@gmail.com>.
Hi Guozhang,
Thanks for that.
Can you please grant kevinth the write access too? He is my colleague and
both of us work on this topic now.
On Wed, 20 Jan 2016 at 14:55 Guozhang Wang <wa...@gmail.com> wrote:
> Tao,
>
> I have granted you the access.
>
> Guozhang
>
>
> On Tue, Jan 19, 2016 at 7:56 PM, Connie Yang <cy...@gmail.com>
> wrote:
>
> > @Ismael, what's the status of the SASL/PLAIN PR,
> > https://github.com/apache/kafka/pull/341?
> >
> >
> >
> > On Tue, Jan 19, 2016 at 6:25 PM, tao xiao <xi...@gmail.com> wrote:
> >
> > > The PR provides a new SASL mech but it doesn't provide a pluggable way
> to
> > > implement user's own logic to do authentication. So I don't think the
> PR
> > > will meet my need.
> > >
> > > I will write a KIP to open the discussion.
> > >
> > > p.s. Ismael, can you grant me the permission to create a KIP in Kafka
> > > space?
> > >
> > >
> > > On Wed, 20 Jan 2016 at 10:08 Ismael Juma <is...@juma.me.uk> wrote:
> > >
> > > > Hi Tao,
> > > >
> > > > The other way would be to implement a SASL provider:
> > > >
> > > >
> > > >
> > >
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#PROV
> > > >
> > > > This would still require Kafka to be changed, some of the changes are
> > in
> > > > the following PR:
> > > >
> > > > https://github.com/apache/kafka/pull/341
> > > >
> > > > As per the discussion in the PR above, a KIP is also required.
> > > >
> > > > Ismael
> > > >
> > > > On Wed, Jan 20, 2016 at 1:48 AM, tao xiao <xi...@gmail.com>
> > wrote:
> > > >
> > > > > Hi Ismael,
> > > > >
> > > > > BTW looks like I don't have the permission to add a KIP in Kafka
> > space.
> > > > Can
> > > > > you please grant me the permission?
> > > > >
> > > > > On Wed, 20 Jan 2016 at 09:40 tao xiao <xi...@gmail.com>
> wrote:
> > > > >
> > > > > > Hi Ismael,
> > > > > >
> > > > > > Thank you for your reply. I am happy to have a writeup on this.
> > > > > >
> > > > > > Can you think of any other ways to make security protocol
> pluggable
> > > > > > instead of extending ChannelBuilder?
> > > > > >
> > > > > > On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk>
> > wrote:
> > > > > >
> > > > > >> Hi Tao,
> > > > > >>
> > > > > >> As you say, security protocols are not currently pluggable.
> > > > > >> `ChannelBuilder` is already an interface, but `SecurityProtocol`
> > is
> > > an
> > > > > >> enum, which makes it hard for users to add additional security
> > > > > protocols.
> > > > > >> Changing this would probably require a KIP:
> > > > > >>
> > > > > >>
> > > > > >>
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
> > > > > >>
> > > > > >> Ismael
> > > > > >>
> > > > > >> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <xiaotao183@gmail.com
> >
> > > > wrote:
> > > > > >>
> > > > > >> > Hi Kafka team,
> > > > > >> >
> > > > > >> > I want to know if I can plug-in my own security protocol to
> > Kafka
> > > to
> > > > > >> > implement project specific authentication mechanism. The
> current
> > > > > >> supported
> > > > > >> > authentication protocols, SASL/GSSAPI and SSL, are not
> supported
> > > in
> > > > my
> > > > > >> > company and we have own security protocol to do
> authentication.
> > > > > >> >
> > > > > >> > Is it a good idea to make ChannelBuilder extensible so that I
> > can
> > > > > >> implement
> > > > > >> > it with my own security channel?
> > > > > >> >
> > > > > >>
> > > > > >
> > > > >
> > > >
> > >
> >
>
>
>
> --
> -- Guozhang
>
Re: Support customized security protocol
Posted by Guozhang Wang <wa...@gmail.com>.
Tao,
I have granted you the access.
Guozhang
On Tue, Jan 19, 2016 at 7:56 PM, Connie Yang <cy...@gmail.com> wrote:
> @Ismael, what's the status of the SASL/PLAIN PR,
> https://github.com/apache/kafka/pull/341?
>
>
>
> On Tue, Jan 19, 2016 at 6:25 PM, tao xiao <xi...@gmail.com> wrote:
>
> > The PR provides a new SASL mech but it doesn't provide a pluggable way to
> > implement user's own logic to do authentication. So I don't think the PR
> > will meet my need.
> >
> > I will write a KIP to open the discussion.
> >
> > p.s. Ismael, can you grant me the permission to create a KIP in Kafka
> > space?
> >
> >
> > On Wed, 20 Jan 2016 at 10:08 Ismael Juma <is...@juma.me.uk> wrote:
> >
> > > Hi Tao,
> > >
> > > The other way would be to implement a SASL provider:
> > >
> > >
> > >
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#PROV
> > >
> > > This would still require Kafka to be changed, some of the changes are
> in
> > > the following PR:
> > >
> > > https://github.com/apache/kafka/pull/341
> > >
> > > As per the discussion in the PR above, a KIP is also required.
> > >
> > > Ismael
> > >
> > > On Wed, Jan 20, 2016 at 1:48 AM, tao xiao <xi...@gmail.com>
> wrote:
> > >
> > > > Hi Ismael,
> > > >
> > > > BTW looks like I don't have the permission to add a KIP in Kafka
> space.
> > > Can
> > > > you please grant me the permission?
> > > >
> > > > On Wed, 20 Jan 2016 at 09:40 tao xiao <xi...@gmail.com> wrote:
> > > >
> > > > > Hi Ismael,
> > > > >
> > > > > Thank you for your reply. I am happy to have a writeup on this.
> > > > >
> > > > > Can you think of any other ways to make security protocol pluggable
> > > > > instead of extending ChannelBuilder?
> > > > >
> > > > > On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk>
> wrote:
> > > > >
> > > > >> Hi Tao,
> > > > >>
> > > > >> As you say, security protocols are not currently pluggable.
> > > > >> `ChannelBuilder` is already an interface, but `SecurityProtocol`
> is
> > an
> > > > >> enum, which makes it hard for users to add additional security
> > > > protocols.
> > > > >> Changing this would probably require a KIP:
> > > > >>
> > > > >>
> > > > >>
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
> > > > >>
> > > > >> Ismael
> > > > >>
> > > > >> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <xi...@gmail.com>
> > > wrote:
> > > > >>
> > > > >> > Hi Kafka team,
> > > > >> >
> > > > >> > I want to know if I can plug-in my own security protocol to
> Kafka
> > to
> > > > >> > implement project specific authentication mechanism. The current
> > > > >> supported
> > > > >> > authentication protocols, SASL/GSSAPI and SSL, are not supported
> > in
> > > my
> > > > >> > company and we have own security protocol to do authentication.
> > > > >> >
> > > > >> > Is it a good idea to make ChannelBuilder extensible so that I
> can
> > > > >> implement
> > > > >> > it with my own security channel?
> > > > >> >
> > > > >>
> > > > >
> > > >
> > >
> >
>
--
-- Guozhang
Re: Support customized security protocol
Posted by Ismael Juma <is...@juma.me.uk>.
Hi Connie,
On Wed, Jan 20, 2016 at 3:56 AM, Connie Yang <cy...@gmail.com> wrote:
> @Ismael, what's the status of the SASL/PLAIN PR,
> https://github.com/apache/kafka/pull/341?
Rajini said he would create a KIP for it:
https://issues.apache.org/jira/browse/KAFKA-2658?focusedCommentId=14987903&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-14987903
Ismael
Re: Support customized security protocol
Posted by Connie Yang <cy...@gmail.com>.
@Ismael, what's the status of the SASL/PLAIN PR,
https://github.com/apache/kafka/pull/341?
On Tue, Jan 19, 2016 at 6:25 PM, tao xiao <xi...@gmail.com> wrote:
> The PR provides a new SASL mech but it doesn't provide a pluggable way to
> implement user's own logic to do authentication. So I don't think the PR
> will meet my need.
>
> I will write a KIP to open the discussion.
>
> p.s. Ismael, can you grant me the permission to create a KIP in Kafka
> space?
>
>
> On Wed, 20 Jan 2016 at 10:08 Ismael Juma <is...@juma.me.uk> wrote:
>
> > Hi Tao,
> >
> > The other way would be to implement a SASL provider:
> >
> >
> >
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#PROV
> >
> > This would still require Kafka to be changed, some of the changes are in
> > the following PR:
> >
> > https://github.com/apache/kafka/pull/341
> >
> > As per the discussion in the PR above, a KIP is also required.
> >
> > Ismael
> >
> > On Wed, Jan 20, 2016 at 1:48 AM, tao xiao <xi...@gmail.com> wrote:
> >
> > > Hi Ismael,
> > >
> > > BTW looks like I don't have the permission to add a KIP in Kafka space.
> > Can
> > > you please grant me the permission?
> > >
> > > On Wed, 20 Jan 2016 at 09:40 tao xiao <xi...@gmail.com> wrote:
> > >
> > > > Hi Ismael,
> > > >
> > > > Thank you for your reply. I am happy to have a writeup on this.
> > > >
> > > > Can you think of any other ways to make security protocol pluggable
> > > > instead of extending ChannelBuilder?
> > > >
> > > > On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk> wrote:
> > > >
> > > >> Hi Tao,
> > > >>
> > > >> As you say, security protocols are not currently pluggable.
> > > >> `ChannelBuilder` is already an interface, but `SecurityProtocol` is
> an
> > > >> enum, which makes it hard for users to add additional security
> > > protocols.
> > > >> Changing this would probably require a KIP:
> > > >>
> > > >>
> > > >>
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
> > > >>
> > > >> Ismael
> > > >>
> > > >> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <xi...@gmail.com>
> > wrote:
> > > >>
> > > >> > Hi Kafka team,
> > > >> >
> > > >> > I want to know if I can plug-in my own security protocol to Kafka
> to
> > > >> > implement project specific authentication mechanism. The current
> > > >> supported
> > > >> > authentication protocols, SASL/GSSAPI and SSL, are not supported
> in
> > my
> > > >> > company and we have own security protocol to do authentication.
> > > >> >
> > > >> > Is it a good idea to make ChannelBuilder extensible so that I can
> > > >> implement
> > > >> > it with my own security channel?
> > > >> >
> > > >>
> > > >
> > >
> >
>
Re: Support customized security protocol
Posted by Ismael Juma <is...@juma.me.uk>.
Hi Tao,
On Wed, Jan 20, 2016 at 2:25 AM, tao xiao <xi...@gmail.com> wrote:
> The PR provides a new SASL mech but it doesn't provide a pluggable way to
> implement user's own logic to do authentication. So I don't think the PR
> will meet my need.
>
Yes, as I said, that would not be enough for your use-case. But it will
allow a SASL mechanism to be specified via a config. In theory, you could
extend that to allow user classes to implement SASL mechanisms. Anyway, I
am not suggesting that this is better than having pluggable ChannelBuilder
implementations, just that it's an alternative (which was your question :)).
I will write a KIP to open the discussion.
>
OK.
p.s. Ismael, can you grant me the permission to create a KIP in Kafka space?
>
I don't have the permissions to do it, sorry. Guozhang has done it though.
:)
Ismael
Re: Support customized security protocol
Posted by tao xiao <xi...@gmail.com>.
The PR provides a new SASL mech but it doesn't provide a pluggable way to
implement user's own logic to do authentication. So I don't think the PR
will meet my need.
I will write a KIP to open the discussion.
p.s. Ismael, can you grant me the permission to create a KIP in Kafka space?
On Wed, 20 Jan 2016 at 10:08 Ismael Juma <is...@juma.me.uk> wrote:
> Hi Tao,
>
> The other way would be to implement a SASL provider:
>
>
> https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#PROV
>
> This would still require Kafka to be changed, some of the changes are in
> the following PR:
>
> https://github.com/apache/kafka/pull/341
>
> As per the discussion in the PR above, a KIP is also required.
>
> Ismael
>
> On Wed, Jan 20, 2016 at 1:48 AM, tao xiao <xi...@gmail.com> wrote:
>
> > Hi Ismael,
> >
> > BTW looks like I don't have the permission to add a KIP in Kafka space.
> Can
> > you please grant me the permission?
> >
> > On Wed, 20 Jan 2016 at 09:40 tao xiao <xi...@gmail.com> wrote:
> >
> > > Hi Ismael,
> > >
> > > Thank you for your reply. I am happy to have a writeup on this.
> > >
> > > Can you think of any other ways to make security protocol pluggable
> > > instead of extending ChannelBuilder?
> > >
> > > On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk> wrote:
> > >
> > >> Hi Tao,
> > >>
> > >> As you say, security protocols are not currently pluggable.
> > >> `ChannelBuilder` is already an interface, but `SecurityProtocol` is an
> > >> enum, which makes it hard for users to add additional security
> > protocols.
> > >> Changing this would probably require a KIP:
> > >>
> > >>
> > >>
> >
> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
> > >>
> > >> Ismael
> > >>
> > >> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <xi...@gmail.com>
> wrote:
> > >>
> > >> > Hi Kafka team,
> > >> >
> > >> > I want to know if I can plug-in my own security protocol to Kafka to
> > >> > implement project specific authentication mechanism. The current
> > >> supported
> > >> > authentication protocols, SASL/GSSAPI and SSL, are not supported in
> my
> > >> > company and we have own security protocol to do authentication.
> > >> >
> > >> > Is it a good idea to make ChannelBuilder extensible so that I can
> > >> implement
> > >> > it with my own security channel?
> > >> >
> > >>
> > >
> >
>
Re: Support customized security protocol
Posted by Ismael Juma <is...@juma.me.uk>.
Hi Tao,
The other way would be to implement a SASL provider:
https://docs.oracle.com/javase/8/docs/technotes/guides/security/sasl/sasl-refguide.html#PROV
This would still require Kafka to be changed, some of the changes are in
the following PR:
https://github.com/apache/kafka/pull/341
As per the discussion in the PR above, a KIP is also required.
Ismael
On Wed, Jan 20, 2016 at 1:48 AM, tao xiao <xi...@gmail.com> wrote:
> Hi Ismael,
>
> BTW looks like I don't have the permission to add a KIP in Kafka space. Can
> you please grant me the permission?
>
> On Wed, 20 Jan 2016 at 09:40 tao xiao <xi...@gmail.com> wrote:
>
> > Hi Ismael,
> >
> > Thank you for your reply. I am happy to have a writeup on this.
> >
> > Can you think of any other ways to make security protocol pluggable
> > instead of extending ChannelBuilder?
> >
> > On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk> wrote:
> >
> >> Hi Tao,
> >>
> >> As you say, security protocols are not currently pluggable.
> >> `ChannelBuilder` is already an interface, but `SecurityProtocol` is an
> >> enum, which makes it hard for users to add additional security
> protocols.
> >> Changing this would probably require a KIP:
> >>
> >>
> >>
> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
> >>
> >> Ismael
> >>
> >> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <xi...@gmail.com> wrote:
> >>
> >> > Hi Kafka team,
> >> >
> >> > I want to know if I can plug-in my own security protocol to Kafka to
> >> > implement project specific authentication mechanism. The current
> >> supported
> >> > authentication protocols, SASL/GSSAPI and SSL, are not supported in my
> >> > company and we have own security protocol to do authentication.
> >> >
> >> > Is it a good idea to make ChannelBuilder extensible so that I can
> >> implement
> >> > it with my own security channel?
> >> >
> >>
> >
>
Re: Support customized security protocol
Posted by tao xiao <xi...@gmail.com>.
Hi Ismael,
BTW looks like I don't have the permission to add a KIP in Kafka space. Can
you please grant me the permission?
On Wed, 20 Jan 2016 at 09:40 tao xiao <xi...@gmail.com> wrote:
> Hi Ismael,
>
> Thank you for your reply. I am happy to have a writeup on this.
>
> Can you think of any other ways to make security protocol pluggable
> instead of extending ChannelBuilder?
>
> On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk> wrote:
>
>> Hi Tao,
>>
>> As you say, security protocols are not currently pluggable.
>> `ChannelBuilder` is already an interface, but `SecurityProtocol` is an
>> enum, which makes it hard for users to add additional security protocols.
>> Changing this would probably require a KIP:
>>
>>
>> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
>>
>> Ismael
>>
>> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <xi...@gmail.com> wrote:
>>
>> > Hi Kafka team,
>> >
>> > I want to know if I can plug-in my own security protocol to Kafka to
>> > implement project specific authentication mechanism. The current
>> supported
>> > authentication protocols, SASL/GSSAPI and SSL, are not supported in my
>> > company and we have own security protocol to do authentication.
>> >
>> > Is it a good idea to make ChannelBuilder extensible so that I can
>> implement
>> > it with my own security channel?
>> >
>>
>
Re: Support customized security protocol
Posted by tao xiao <xi...@gmail.com>.
Hi Ismael,
Thank you for your reply. I am happy to have a writeup on this.
Can you think of any other ways to make security protocol pluggable instead
of extending ChannelBuilder?
On Wed, 20 Jan 2016 at 02:14 Ismael Juma <is...@juma.me.uk> wrote:
> Hi Tao,
>
> As you say, security protocols are not currently pluggable.
> `ChannelBuilder` is already an interface, but `SecurityProtocol` is an
> enum, which makes it hard for users to add additional security protocols.
> Changing this would probably require a KIP:
>
>
> https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
>
> Ismael
>
> On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <xi...@gmail.com> wrote:
>
> > Hi Kafka team,
> >
> > I want to know if I can plug-in my own security protocol to Kafka to
> > implement project specific authentication mechanism. The current
> supported
> > authentication protocols, SASL/GSSAPI and SSL, are not supported in my
> > company and we have own security protocol to do authentication.
> >
> > Is it a good idea to make ChannelBuilder extensible so that I can
> implement
> > it with my own security channel?
> >
>
Re: Support customized security protocol
Posted by Ismael Juma <is...@juma.me.uk>.
Hi Tao,
As you say, security protocols are not currently pluggable.
`ChannelBuilder` is already an interface, but `SecurityProtocol` is an
enum, which makes it hard for users to add additional security protocols.
Changing this would probably require a KIP:
https://cwiki.apache.org/confluence/display/KAFKA/Kafka+Improvement+Proposals
Ismael
On Mon, Jan 18, 2016 at 3:15 AM, tao xiao <xi...@gmail.com> wrote:
> Hi Kafka team,
>
> I want to know if I can plug-in my own security protocol to Kafka to
> implement project specific authentication mechanism. The current supported
> authentication protocols, SASL/GSSAPI and SSL, are not supported in my
> company and we have own security protocol to do authentication.
>
> Is it a good idea to make ChannelBuilder extensible so that I can implement
> it with my own security channel?
>