You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by Ismael Juma <is...@juma.me.uk> on 2016/04/01 23:58:48 UTC
Re: [VOTE] KIP-43: Kafka SASL enhancements
Since the KIP changed since my last vote, +1 (non-binding).
Rajini, do you want to wrap up the vote? It seems like we have 3 binding
+1s (Harsha, Gwen and Jun).
Ismael
On Tue, Mar 29, 2016 at 3:22 PM, Jun Rao <ju...@confluent.io> wrote:
> Rajini,
>
> Thanks for the update. +1 on the proposal.
>
> Jun
>
> On Tue, Mar 29, 2016 at 3:32 AM, Rajini Sivaram <
> rajinisivaram@googlemail.com> wrote:
>
> > Jun,
> >
> > Thank you for reviewing the KIP. Answers below:
> >
> > 1. Yes, broker can specify *sasl.mechanism. *It is used for all
> client-mode
> > connections including that in inter-broker communication.
> >
> > 2. If *sasl.enabled.mechanisms* is not specified, the default value of
> > {'GSSAPI'} is used. If it is specified, only the protocols specified are
> > enabled. This enables brokers to be run with SASL without enabling GSSAPI
> > (as we do). Since GSSAPI requires complex Kerberos set up, it is useful
> to
> > have the ability to turn it off.
> >
> > 3. For the default SASL/PLAIN implementation included in Kafka, username
> > (authentication ID) is returned as principal.
> >
> > I will update the KIP to clarify these points.
> >
> > Thanks,
> >
> > Rajini
> >
> >
> > On Mon, Mar 28, 2016 at 6:17 PM, Jun Rao <ju...@confluent.io> wrote:
> >
> > > Hi, Rajini,
> > >
> > > Sorry for the late response. The revised KIP looks good overall. Just a
> > few
> > > minor comments below.
> > >
> > > 1. Since the broker can also act as a client too (for inter broker
> > > communication), sasl.mechanism can also be specified in the broker
> > > configuration, right?
> > > 2. Since we enable GSSAPI by default, is it true that one only needs to
> > > specify non-GSSAPI mechanisms in sasl.enabled.mechanisms?
> > > 3. For SASL/PLAIN, could we describe what the Principal will
> > > Authenticator.principal()
> > > return?
> > >
> > > I will also take a look at the patch. However, since we are getting
> > pretty
> > > close to 0.10.0.0 release, I think we likely will have to leave this
> out
> > of
> > > 0.10.0.0.
> > >
> > > Thanks,
> > >
> > > Jun
> > >
> > > On Thu, Mar 24, 2016 at 2:21 PM, Gwen Shapira <gw...@confluent.io>
> wrote:
> > >
> > > > I'm afraid it will be a challenge.
> > > >
> > > > I see few options:
> > > > 1. Jun should be back in the office tomorrow. If he votes +1 and
> agrees
> > > > that the PR is ready to merge and is safe and important enough to
> > > > double-commit - this could get in yet.
> > > > 2. Same as above, but not in time for the Monday release candidate.
> In
> > > this
> > > > case, we can get it into 0.10.0.0 if we find other blockers and need
> to
> > > > roll-out another RC.
> > > > 3. (most likely) We will finish the vote and review but not in time
> for
> > > > 0.10.0.0. In this case, 0.10.1.0.0 should be out in around 3 month,
> and
> > > > we'll get it in there. You'll be in good company with KIP-35, KIP-4,
> > > KIP-48
> > > > and few other things that are close to done, are super critical but
> are
> > > > just not ready in time. Thats why we are trying to release more
> often.
> > > >
> > > > Gwen
> > > >
> > > > On Thu, Mar 24, 2016 at 2:08 PM, Rajini Sivaram <
> > > > rajinisivaram@googlemail.com> wrote:
> > > >
> > > > > Gwen,
> > > > >
> > > > > Ah, I clearly don't know the rules. So it looks like it would not
> > > really
> > > > be
> > > > > possible to get this into 0.10.0.0 after all.
> > > > >
> > > > > Rajini
> > > > >
> > > > > On Thu, Mar 24, 2016 at 8:38 PM, Gwen Shapira <gw...@confluent.io>
> > > wrote:
> > > > >
> > > > > > Rajini,
> > > > > >
> > > > > > I think the vote didn't pass yet?
> > > > > > If I can see correctly, Harsha and I are the only committers who
> > > voted,
> > > > > so
> > > > > > we are missing a 3rd vote.
> > > > > >
> > > > > > Gwen
> > > > > >
> > > > > > On Thu, Mar 24, 2016 at 11:24 AM, Rajini Sivaram <
> > > > > > rajinisivaram@googlemail.com> wrote:
> > > > > >
> > > > > > > Gwen,
> > > > > > >
> > > > > > > Thank you. I have pinged Ismael, Harsha and Jun Rao for PR
> > review.
> > > If
> > > > > any
> > > > > > > of them has time for reviewing the PR, I will update the PR
> over
> > > the
> > > > > > > weekend. If you can suggest any other reviewers, I can ping
> them
> > > too.
> > > > > > >
> > > > > > > Many thanks.
> > > > > > >
> > > > > > > On Thu, Mar 24, 2016 at 5:03 PM, Gwen Shapira <
> gwen@confluent.io
> > >
> > > > > wrote:
> > > > > > >
> > > > > > > > This can be discussed in the review.
> > > > > > > > If there's good test coverage, is low risk and passes review
> > and
> > > > gets
> > > > > > > > merged before Monday morning...
> > > > > > > >
> > > > > > > > We won't be doing an extra release candidate just for this
> > > though.
> > > > > > > >
> > > > > > > > Gwen
> > > > > > > >
> > > > > > > > On Thu, Mar 24, 2016 at 1:21 AM, Rajini Sivaram <
> > > > > > > > rajinisivaram@googlemail.com> wrote:
> > > > > > > >
> > > > > > > > > Gwen,
> > > > > > > > >
> > > > > > > > > Is it still possible to include this in 0.10.0.0?
> > > > > > > > >
> > > > > > > > > Thanks,
> > > > > > > > >
> > > > > > > > > Rajini
> > > > > > > > >
> > > > > > > > > On Wed, Mar 23, 2016 at 11:08 PM, Gwen Shapira <
> > > > gwen@confluent.io>
> > > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > Sorry! Got distracted by the impending release!
> > > > > > > > > >
> > > > > > > > > > +1 on the current revision of the KIP.
> > > > > > > > > >
> > > > > > > > > > On Wed, Mar 23, 2016 at 3:33 PM, Harsha <kafka@harsha.io
> >
> > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Any update on this. Gwen since the KIP is adjusted to
> > > address
> > > > > the
> > > > > > > > > > > pluggable classes we should make a move on this.
> > > > > > > > > > >
> > > > > > > > > > > Rajini,
> > > > > > > > > > > Can you restart the voting thread.
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > > Harsha
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Mar 16, 2016, at 06:42 AM, Rajini Sivaram
> wrote:
> > > > > > > > > > > > As discussed in the KIP meeting yesterday, the scope
> of
> > > > > KIP-43
> > > > > > > has
> > > > > > > > > been
> > > > > > > > > > > > reduced so that it can be integrated into 0.10.0.0.
> The
> > > > > updated
> > > > > > > KIP
> > > > > > > > > is
> > > > > > > > > > > > here:
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43%3A+Kafka+SASL+enhancements
> > > > > > > > > > > > .
> > > > > > > > > > > >
> > > > > > > > > > > > Can we continue the vote on the updated KIP?
> > > > > > > > > > > >
> > > > > > > > > > > > Thank you,
> > > > > > > > > > > >
> > > > > > > > > > > > Rajini
> > > > > > > > > > > >
> > > > > > > > > > > > On Thu, Mar 10, 2016 at 2:09 AM, Gwen Shapira <
> > > > > > gwen@confluent.io
> > > > > > > >
> > > > > > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Harsha,
> > > > > > > > > > > > >
> > > > > > > > > > > > > Since you are clearly in favor of the KIP, do you
> > mind
> > > > > > jumping
> > > > > > > > into
> > > > > > > > > > > > > the discussion thread and help me understand the
> > > decision
> > > > > > > behind
> > > > > > > > > the
> > > > > > > > > > > > > configuration parameters only allowing a single
> Login
> > > and
> > > > > > > > > > > > > CallbackHandler class? This seems too limiting to
> me,
> > > and
> > > > > > while
> > > > > > > > > > Rajini
> > > > > > > > > > > > > is trying hard to convince me otherwise, I remain
> > > > doubtful.
> > > > > > > > Perhaps
> > > > > > > > > > > > > (since we have similar experience with Hadoop), you
> > can
> > > > > help
> > > > > > me
> > > > > > > > see
> > > > > > > > > > > > > what I am missing.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Gwen
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Wed, Mar 9, 2016 at 12:02 PM, Harsha <
> > > kafka@harsha.io
> > > > >
> > > > > > > wrote:
> > > > > > > > > > > > > > +1 (binding)
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Tue, Mar 8, 2016, at 02:37 AM, tao xiao wrote:
> > > > > > > > > > > > > >> +1 (non-binding)
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >> On Tue, 8 Mar 2016 at 05:33 Andrew Schofield <
> > > > > > > > > > > > > >> andrew_schofield_jira@outlook.com> wrote:
> > > > > > > > > > > > > >>
> > > > > > > > > > > > > >> > +1 (non-binding)
> > > > > > > > > > > > > >> >
> > > > > > > > > > > > > >> > ----------------------------------------
> > > > > > > > > > > > > >> > > From: ismael@juma.me.uk
> > > > > > > > > > > > > >> > > Date: Mon, 7 Mar 2016 19:52:11 +0000
> > > > > > > > > > > > > >> > > Subject: Re: [VOTE] KIP-43: Kafka SASL
> > > > enhancements
> > > > > > > > > > > > > >> > > To: dev@kafka.apache.org
> > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > >> > > +1 (non-binding)
> > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > >> > > On Thu, Mar 3, 2016 at 10:37 AM, Rajini
> > Sivaram
> > > <
> > > > > > > > > > > > > >> > > rajinisivaram@googlemail.com> wrote:
> > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > >> > >> I would like to start the voting process
> for
> > > > > *KIP-43:
> > > > > > > > Kafka
> > > > > > > > > > > SASL
> > > > > > > > > > > > > >> > >> enhancements*. This KIP extends the SASL
> > > > > > implementation
> > > > > > > > in
> > > > > > > > > > > Kafka to
> > > > > > > > > > > > > >> > support
> > > > > > > > > > > > > >> > >> new SASL mechanisms to enable Kafka to be
> > > > > integrated
> > > > > > > with
> > > > > > > > > > > different
> > > > > > > > > > > > > >> > >> authentication servers.
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> > >> The KIP is available here for reference:
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> >
> > > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> > >> And here's is a link to the discussion on
> the
> > > > > mailing
> > > > > > > > list:
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> >
> > > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://mail-archives.apache.org/mod_mbox/kafka-dev/201601.mbox/%3CCAOJcB39b9Vy7%3DZEM3tLw2zarCS4A_s-%2BU%2BC%3DuEcWs0712UaYrQ%40mail.gmail.com%3E
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> > >> Thank you...
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> > >> Regards,
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> > >> Rajini
> > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > >> >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > Regards,
> > > > > > > > > > > >
> > > > > > > > > > > > Rajini
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > Rajini
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > >
> > > > > > > Rajini
> > > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Regards,
> > > > >
> > > > > Rajini
> > > > >
> > > >
> > >
> >
> >
> >
> > --
> > Regards,
> >
> > Rajini
> >
>
Re: [VOTE] KIP-43: Kafka SASL enhancements
Posted by Rajini Sivaram <ra...@googlemail.com>.
Hi all,
The updated KIP-43 passes with 3 binding +1s (Harsha, Gwen and Jun) and 3
non-binding +1s. Many thanks to everyone for the feedback.
The initial PR is available at https://github.com/apache/kafka/pull/812.
Feedback is appreciated.
Thank you,
Rajini
On Fri, Apr 1, 2016 at 11:09 PM, Grant Henke <gh...@cloudera.com> wrote:
> +1 (non-binding)
>
> Might as well throw this in. Didn't realize I hadn't voted.
>
> On Fri, Apr 1, 2016 at 4:58 PM, Ismael Juma <is...@juma.me.uk> wrote:
>
> > Since the KIP changed since my last vote, +1 (non-binding).
> >
> > Rajini, do you want to wrap up the vote? It seems like we have 3 binding
> > +1s (Harsha, Gwen and Jun).
> >
> > Ismael
> >
> > On Tue, Mar 29, 2016 at 3:22 PM, Jun Rao <ju...@confluent.io> wrote:
> >
> > > Rajini,
> > >
> > > Thanks for the update. +1 on the proposal.
> > >
> > > Jun
> > >
> > > On Tue, Mar 29, 2016 at 3:32 AM, Rajini Sivaram <
> > > rajinisivaram@googlemail.com> wrote:
> > >
> > > > Jun,
> > > >
> > > > Thank you for reviewing the KIP. Answers below:
> > > >
> > > > 1. Yes, broker can specify *sasl.mechanism. *It is used for all
> > > client-mode
> > > > connections including that in inter-broker communication.
> > > >
> > > > 2. If *sasl.enabled.mechanisms* is not specified, the default value
> of
> > > > {'GSSAPI'} is used. If it is specified, only the protocols specified
> > are
> > > > enabled. This enables brokers to be run with SASL without enabling
> > GSSAPI
> > > > (as we do). Since GSSAPI requires complex Kerberos set up, it is
> useful
> > > to
> > > > have the ability to turn it off.
> > > >
> > > > 3. For the default SASL/PLAIN implementation included in Kafka,
> > username
> > > > (authentication ID) is returned as principal.
> > > >
> > > > I will update the KIP to clarify these points.
> > > >
> > > > Thanks,
> > > >
> > > > Rajini
> > > >
> > > >
> > > > On Mon, Mar 28, 2016 at 6:17 PM, Jun Rao <ju...@confluent.io> wrote:
> > > >
> > > > > Hi, Rajini,
> > > > >
> > > > > Sorry for the late response. The revised KIP looks good overall.
> > Just a
> > > > few
> > > > > minor comments below.
> > > > >
> > > > > 1. Since the broker can also act as a client too (for inter broker
> > > > > communication), sasl.mechanism can also be specified in the broker
> > > > > configuration, right?
> > > > > 2. Since we enable GSSAPI by default, is it true that one only
> needs
> > to
> > > > > specify non-GSSAPI mechanisms in sasl.enabled.mechanisms?
> > > > > 3. For SASL/PLAIN, could we describe what the Principal will
> > > > > Authenticator.principal()
> > > > > return?
> > > > >
> > > > > I will also take a look at the patch. However, since we are getting
> > > > pretty
> > > > > close to 0.10.0.0 release, I think we likely will have to leave
> this
> > > out
> > > > of
> > > > > 0.10.0.0.
> > > > >
> > > > > Thanks,
> > > > >
> > > > > Jun
> > > > >
> > > > > On Thu, Mar 24, 2016 at 2:21 PM, Gwen Shapira <gw...@confluent.io>
> > > wrote:
> > > > >
> > > > > > I'm afraid it will be a challenge.
> > > > > >
> > > > > > I see few options:
> > > > > > 1. Jun should be back in the office tomorrow. If he votes +1 and
> > > agrees
> > > > > > that the PR is ready to merge and is safe and important enough to
> > > > > > double-commit - this could get in yet.
> > > > > > 2. Same as above, but not in time for the Monday release
> candidate.
> > > In
> > > > > this
> > > > > > case, we can get it into 0.10.0.0 if we find other blockers and
> > need
> > > to
> > > > > > roll-out another RC.
> > > > > > 3. (most likely) We will finish the vote and review but not in
> time
> > > for
> > > > > > 0.10.0.0. In this case, 0.10.1.0.0 should be out in around 3
> month,
> > > and
> > > > > > we'll get it in there. You'll be in good company with KIP-35,
> > KIP-4,
> > > > > KIP-48
> > > > > > and few other things that are close to done, are super critical
> but
> > > are
> > > > > > just not ready in time. Thats why we are trying to release more
> > > often.
> > > > > >
> > > > > > Gwen
> > > > > >
> > > > > > On Thu, Mar 24, 2016 at 2:08 PM, Rajini Sivaram <
> > > > > > rajinisivaram@googlemail.com> wrote:
> > > > > >
> > > > > > > Gwen,
> > > > > > >
> > > > > > > Ah, I clearly don't know the rules. So it looks like it would
> not
> > > > > really
> > > > > > be
> > > > > > > possible to get this into 0.10.0.0 after all.
> > > > > > >
> > > > > > > Rajini
> > > > > > >
> > > > > > > On Thu, Mar 24, 2016 at 8:38 PM, Gwen Shapira <
> gwen@confluent.io
> > >
> > > > > wrote:
> > > > > > >
> > > > > > > > Rajini,
> > > > > > > >
> > > > > > > > I think the vote didn't pass yet?
> > > > > > > > If I can see correctly, Harsha and I are the only committers
> > who
> > > > > voted,
> > > > > > > so
> > > > > > > > we are missing a 3rd vote.
> > > > > > > >
> > > > > > > > Gwen
> > > > > > > >
> > > > > > > > On Thu, Mar 24, 2016 at 11:24 AM, Rajini Sivaram <
> > > > > > > > rajinisivaram@googlemail.com> wrote:
> > > > > > > >
> > > > > > > > > Gwen,
> > > > > > > > >
> > > > > > > > > Thank you. I have pinged Ismael, Harsha and Jun Rao for PR
> > > > review.
> > > > > If
> > > > > > > any
> > > > > > > > > of them has time for reviewing the PR, I will update the PR
> > > over
> > > > > the
> > > > > > > > > weekend. If you can suggest any other reviewers, I can ping
> > > them
> > > > > too.
> > > > > > > > >
> > > > > > > > > Many thanks.
> > > > > > > > >
> > > > > > > > > On Thu, Mar 24, 2016 at 5:03 PM, Gwen Shapira <
> > > gwen@confluent.io
> > > > >
> > > > > > > wrote:
> > > > > > > > >
> > > > > > > > > > This can be discussed in the review.
> > > > > > > > > > If there's good test coverage, is low risk and passes
> > review
> > > > and
> > > > > > gets
> > > > > > > > > > merged before Monday morning...
> > > > > > > > > >
> > > > > > > > > > We won't be doing an extra release candidate just for
> this
> > > > > though.
> > > > > > > > > >
> > > > > > > > > > Gwen
> > > > > > > > > >
> > > > > > > > > > On Thu, Mar 24, 2016 at 1:21 AM, Rajini Sivaram <
> > > > > > > > > > rajinisivaram@googlemail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > > Gwen,
> > > > > > > > > > >
> > > > > > > > > > > Is it still possible to include this in 0.10.0.0?
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > >
> > > > > > > > > > > Rajini
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Mar 23, 2016 at 11:08 PM, Gwen Shapira <
> > > > > > gwen@confluent.io>
> > > > > > > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Sorry! Got distracted by the impending release!
> > > > > > > > > > > >
> > > > > > > > > > > > +1 on the current revision of the KIP.
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Mar 23, 2016 at 3:33 PM, Harsha <
> > kafka@harsha.io
> > > >
> > > > > > wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > > Any update on this. Gwen since the KIP is adjusted
> to
> > > > > address
> > > > > > > the
> > > > > > > > > > > > > pluggable classes we should make a move on this.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Rajini,
> > > > > > > > > > > > > Can you restart the voting thread.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Thanks,
> > > > > > > > > > > > > Harsha
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Wed, Mar 16, 2016, at 06:42 AM, Rajini Sivaram
> > > wrote:
> > > > > > > > > > > > > > As discussed in the KIP meeting yesterday, the
> > scope
> > > of
> > > > > > > KIP-43
> > > > > > > > > has
> > > > > > > > > > > been
> > > > > > > > > > > > > > reduced so that it can be integrated into
> 0.10.0.0.
> > > The
> > > > > > > updated
> > > > > > > > > KIP
> > > > > > > > > > > is
> > > > > > > > > > > > > > here:
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43%3A+Kafka+SASL+enhancements
> > > > > > > > > > > > > > .
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Can we continue the vote on the updated KIP?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Thank you,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Rajini
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Thu, Mar 10, 2016 at 2:09 AM, Gwen Shapira <
> > > > > > > > gwen@confluent.io
> > > > > > > > > >
> > > > > > > > > > > > wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Harsha,
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Since you are clearly in favor of the KIP, do
> you
> > > > mind
> > > > > > > > jumping
> > > > > > > > > > into
> > > > > > > > > > > > > > > the discussion thread and help me understand
> the
> > > > > decision
> > > > > > > > > behind
> > > > > > > > > > > the
> > > > > > > > > > > > > > > configuration parameters only allowing a single
> > > Login
> > > > > and
> > > > > > > > > > > > > > > CallbackHandler class? This seems too limiting
> to
> > > me,
> > > > > and
> > > > > > > > while
> > > > > > > > > > > > Rajini
> > > > > > > > > > > > > > > is trying hard to convince me otherwise, I
> remain
> > > > > > doubtful.
> > > > > > > > > > Perhaps
> > > > > > > > > > > > > > > (since we have similar experience with Hadoop),
> > you
> > > > can
> > > > > > > help
> > > > > > > > me
> > > > > > > > > > see
> > > > > > > > > > > > > > > what I am missing.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Gwen
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On Wed, Mar 9, 2016 at 12:02 PM, Harsha <
> > > > > kafka@harsha.io
> > > > > > >
> > > > > > > > > wrote:
> > > > > > > > > > > > > > > > +1 (binding)
> > > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > > On Tue, Mar 8, 2016, at 02:37 AM, tao xiao
> > wrote:
> > > > > > > > > > > > > > > >> +1 (non-binding)
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >> On Tue, 8 Mar 2016 at 05:33 Andrew
> Schofield <
> > > > > > > > > > > > > > > >> andrew_schofield_jira@outlook.com> wrote:
> > > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > > >> > +1 (non-binding)
> > > > > > > > > > > > > > > >> >
> > > > > > > > > > > > > > > >> > ----------------------------------------
> > > > > > > > > > > > > > > >> > > From: ismael@juma.me.uk
> > > > > > > > > > > > > > > >> > > Date: Mon, 7 Mar 2016 19:52:11 +0000
> > > > > > > > > > > > > > > >> > > Subject: Re: [VOTE] KIP-43: Kafka SASL
> > > > > > enhancements
> > > > > > > > > > > > > > > >> > > To: dev@kafka.apache.org
> > > > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > > > >> > > +1 (non-binding)
> > > > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > > > >> > > On Thu, Mar 3, 2016 at 10:37 AM, Rajini
> > > > Sivaram
> > > > > <
> > > > > > > > > > > > > > > >> > > rajinisivaram@googlemail.com> wrote:
> > > > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > > > >> > >> I would like to start the voting
> process
> > > for
> > > > > > > *KIP-43:
> > > > > > > > > > Kafka
> > > > > > > > > > > > > SASL
> > > > > > > > > > > > > > > >> > >> enhancements*. This KIP extends the
> SASL
> > > > > > > > implementation
> > > > > > > > > > in
> > > > > > > > > > > > > Kafka to
> > > > > > > > > > > > > > > >> > support
> > > > > > > > > > > > > > > >> > >> new SASL mechanisms to enable Kafka to
> be
> > > > > > > integrated
> > > > > > > > > with
> > > > > > > > > > > > > different
> > > > > > > > > > > > > > > >> > >> authentication servers.
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> > >> The KIP is available here for
> reference:
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> > >> And here's is a link to the discussion
> on
> > > the
> > > > > > > mailing
> > > > > > > > > > list:
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://mail-archives.apache.org/mod_mbox/kafka-dev/201601.mbox/%3CCAOJcB39b9Vy7%3DZEM3tLw2zarCS4A_s-%2BU%2BC%3DuEcWs0712UaYrQ%40mail.gmail.com%3E
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> > >> Thank you...
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> > >> Regards,
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> > >> Rajini
> > > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > > >> >
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > --
> > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Rajini
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > Regards,
> > > > > > > > > > >
> > > > > > > > > > > Rajini
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > Regards,
> > > > > > > > >
> > > > > > > > > Rajini
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > Regards,
> > > > > > >
> > > > > > > Rajini
> > > > > > >
> > > > > >
> > > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Regards,
> > > >
> > > > Rajini
> > > >
> > >
> >
>
>
>
> --
> Grant Henke
> Software Engineer | Cloudera
> grant@cloudera.com | twitter.com/gchenke | linkedin.com/in/granthenke
>
--
Regards,
Rajini
Re: [VOTE] KIP-43: Kafka SASL enhancements
Posted by Grant Henke <gh...@cloudera.com>.
+1 (non-binding)
Might as well throw this in. Didn't realize I hadn't voted.
On Fri, Apr 1, 2016 at 4:58 PM, Ismael Juma <is...@juma.me.uk> wrote:
> Since the KIP changed since my last vote, +1 (non-binding).
>
> Rajini, do you want to wrap up the vote? It seems like we have 3 binding
> +1s (Harsha, Gwen and Jun).
>
> Ismael
>
> On Tue, Mar 29, 2016 at 3:22 PM, Jun Rao <ju...@confluent.io> wrote:
>
> > Rajini,
> >
> > Thanks for the update. +1 on the proposal.
> >
> > Jun
> >
> > On Tue, Mar 29, 2016 at 3:32 AM, Rajini Sivaram <
> > rajinisivaram@googlemail.com> wrote:
> >
> > > Jun,
> > >
> > > Thank you for reviewing the KIP. Answers below:
> > >
> > > 1. Yes, broker can specify *sasl.mechanism. *It is used for all
> > client-mode
> > > connections including that in inter-broker communication.
> > >
> > > 2. If *sasl.enabled.mechanisms* is not specified, the default value of
> > > {'GSSAPI'} is used. If it is specified, only the protocols specified
> are
> > > enabled. This enables brokers to be run with SASL without enabling
> GSSAPI
> > > (as we do). Since GSSAPI requires complex Kerberos set up, it is useful
> > to
> > > have the ability to turn it off.
> > >
> > > 3. For the default SASL/PLAIN implementation included in Kafka,
> username
> > > (authentication ID) is returned as principal.
> > >
> > > I will update the KIP to clarify these points.
> > >
> > > Thanks,
> > >
> > > Rajini
> > >
> > >
> > > On Mon, Mar 28, 2016 at 6:17 PM, Jun Rao <ju...@confluent.io> wrote:
> > >
> > > > Hi, Rajini,
> > > >
> > > > Sorry for the late response. The revised KIP looks good overall.
> Just a
> > > few
> > > > minor comments below.
> > > >
> > > > 1. Since the broker can also act as a client too (for inter broker
> > > > communication), sasl.mechanism can also be specified in the broker
> > > > configuration, right?
> > > > 2. Since we enable GSSAPI by default, is it true that one only needs
> to
> > > > specify non-GSSAPI mechanisms in sasl.enabled.mechanisms?
> > > > 3. For SASL/PLAIN, could we describe what the Principal will
> > > > Authenticator.principal()
> > > > return?
> > > >
> > > > I will also take a look at the patch. However, since we are getting
> > > pretty
> > > > close to 0.10.0.0 release, I think we likely will have to leave this
> > out
> > > of
> > > > 0.10.0.0.
> > > >
> > > > Thanks,
> > > >
> > > > Jun
> > > >
> > > > On Thu, Mar 24, 2016 at 2:21 PM, Gwen Shapira <gw...@confluent.io>
> > wrote:
> > > >
> > > > > I'm afraid it will be a challenge.
> > > > >
> > > > > I see few options:
> > > > > 1. Jun should be back in the office tomorrow. If he votes +1 and
> > agrees
> > > > > that the PR is ready to merge and is safe and important enough to
> > > > > double-commit - this could get in yet.
> > > > > 2. Same as above, but not in time for the Monday release candidate.
> > In
> > > > this
> > > > > case, we can get it into 0.10.0.0 if we find other blockers and
> need
> > to
> > > > > roll-out another RC.
> > > > > 3. (most likely) We will finish the vote and review but not in time
> > for
> > > > > 0.10.0.0. In this case, 0.10.1.0.0 should be out in around 3 month,
> > and
> > > > > we'll get it in there. You'll be in good company with KIP-35,
> KIP-4,
> > > > KIP-48
> > > > > and few other things that are close to done, are super critical but
> > are
> > > > > just not ready in time. Thats why we are trying to release more
> > often.
> > > > >
> > > > > Gwen
> > > > >
> > > > > On Thu, Mar 24, 2016 at 2:08 PM, Rajini Sivaram <
> > > > > rajinisivaram@googlemail.com> wrote:
> > > > >
> > > > > > Gwen,
> > > > > >
> > > > > > Ah, I clearly don't know the rules. So it looks like it would not
> > > > really
> > > > > be
> > > > > > possible to get this into 0.10.0.0 after all.
> > > > > >
> > > > > > Rajini
> > > > > >
> > > > > > On Thu, Mar 24, 2016 at 8:38 PM, Gwen Shapira <gwen@confluent.io
> >
> > > > wrote:
> > > > > >
> > > > > > > Rajini,
> > > > > > >
> > > > > > > I think the vote didn't pass yet?
> > > > > > > If I can see correctly, Harsha and I are the only committers
> who
> > > > voted,
> > > > > > so
> > > > > > > we are missing a 3rd vote.
> > > > > > >
> > > > > > > Gwen
> > > > > > >
> > > > > > > On Thu, Mar 24, 2016 at 11:24 AM, Rajini Sivaram <
> > > > > > > rajinisivaram@googlemail.com> wrote:
> > > > > > >
> > > > > > > > Gwen,
> > > > > > > >
> > > > > > > > Thank you. I have pinged Ismael, Harsha and Jun Rao for PR
> > > review.
> > > > If
> > > > > > any
> > > > > > > > of them has time for reviewing the PR, I will update the PR
> > over
> > > > the
> > > > > > > > weekend. If you can suggest any other reviewers, I can ping
> > them
> > > > too.
> > > > > > > >
> > > > > > > > Many thanks.
> > > > > > > >
> > > > > > > > On Thu, Mar 24, 2016 at 5:03 PM, Gwen Shapira <
> > gwen@confluent.io
> > > >
> > > > > > wrote:
> > > > > > > >
> > > > > > > > > This can be discussed in the review.
> > > > > > > > > If there's good test coverage, is low risk and passes
> review
> > > and
> > > > > gets
> > > > > > > > > merged before Monday morning...
> > > > > > > > >
> > > > > > > > > We won't be doing an extra release candidate just for this
> > > > though.
> > > > > > > > >
> > > > > > > > > Gwen
> > > > > > > > >
> > > > > > > > > On Thu, Mar 24, 2016 at 1:21 AM, Rajini Sivaram <
> > > > > > > > > rajinisivaram@googlemail.com> wrote:
> > > > > > > > >
> > > > > > > > > > Gwen,
> > > > > > > > > >
> > > > > > > > > > Is it still possible to include this in 0.10.0.0?
> > > > > > > > > >
> > > > > > > > > > Thanks,
> > > > > > > > > >
> > > > > > > > > > Rajini
> > > > > > > > > >
> > > > > > > > > > On Wed, Mar 23, 2016 at 11:08 PM, Gwen Shapira <
> > > > > gwen@confluent.io>
> > > > > > > > > wrote:
> > > > > > > > > >
> > > > > > > > > > > Sorry! Got distracted by the impending release!
> > > > > > > > > > >
> > > > > > > > > > > +1 on the current revision of the KIP.
> > > > > > > > > > >
> > > > > > > > > > > On Wed, Mar 23, 2016 at 3:33 PM, Harsha <
> kafka@harsha.io
> > >
> > > > > wrote:
> > > > > > > > > > >
> > > > > > > > > > > > Any update on this. Gwen since the KIP is adjusted to
> > > > address
> > > > > > the
> > > > > > > > > > > > pluggable classes we should make a move on this.
> > > > > > > > > > > >
> > > > > > > > > > > > Rajini,
> > > > > > > > > > > > Can you restart the voting thread.
> > > > > > > > > > > >
> > > > > > > > > > > > Thanks,
> > > > > > > > > > > > Harsha
> > > > > > > > > > > >
> > > > > > > > > > > > On Wed, Mar 16, 2016, at 06:42 AM, Rajini Sivaram
> > wrote:
> > > > > > > > > > > > > As discussed in the KIP meeting yesterday, the
> scope
> > of
> > > > > > KIP-43
> > > > > > > > has
> > > > > > > > > > been
> > > > > > > > > > > > > reduced so that it can be integrated into 0.10.0.0.
> > The
> > > > > > updated
> > > > > > > > KIP
> > > > > > > > > > is
> > > > > > > > > > > > > here:
> > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43%3A+Kafka+SASL+enhancements
> > > > > > > > > > > > > .
> > > > > > > > > > > > >
> > > > > > > > > > > > > Can we continue the vote on the updated KIP?
> > > > > > > > > > > > >
> > > > > > > > > > > > > Thank you,
> > > > > > > > > > > > >
> > > > > > > > > > > > > Rajini
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Thu, Mar 10, 2016 at 2:09 AM, Gwen Shapira <
> > > > > > > gwen@confluent.io
> > > > > > > > >
> > > > > > > > > > > wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > > Harsha,
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Since you are clearly in favor of the KIP, do you
> > > mind
> > > > > > > jumping
> > > > > > > > > into
> > > > > > > > > > > > > > the discussion thread and help me understand the
> > > > decision
> > > > > > > > behind
> > > > > > > > > > the
> > > > > > > > > > > > > > configuration parameters only allowing a single
> > Login
> > > > and
> > > > > > > > > > > > > > CallbackHandler class? This seems too limiting to
> > me,
> > > > and
> > > > > > > while
> > > > > > > > > > > Rajini
> > > > > > > > > > > > > > is trying hard to convince me otherwise, I remain
> > > > > doubtful.
> > > > > > > > > Perhaps
> > > > > > > > > > > > > > (since we have similar experience with Hadoop),
> you
> > > can
> > > > > > help
> > > > > > > me
> > > > > > > > > see
> > > > > > > > > > > > > > what I am missing.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Gwen
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Wed, Mar 9, 2016 at 12:02 PM, Harsha <
> > > > kafka@harsha.io
> > > > > >
> > > > > > > > wrote:
> > > > > > > > > > > > > > > +1 (binding)
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > On Tue, Mar 8, 2016, at 02:37 AM, tao xiao
> wrote:
> > > > > > > > > > > > > > >> +1 (non-binding)
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >> On Tue, 8 Mar 2016 at 05:33 Andrew Schofield <
> > > > > > > > > > > > > > >> andrew_schofield_jira@outlook.com> wrote:
> > > > > > > > > > > > > > >>
> > > > > > > > > > > > > > >> > +1 (non-binding)
> > > > > > > > > > > > > > >> >
> > > > > > > > > > > > > > >> > ----------------------------------------
> > > > > > > > > > > > > > >> > > From: ismael@juma.me.uk
> > > > > > > > > > > > > > >> > > Date: Mon, 7 Mar 2016 19:52:11 +0000
> > > > > > > > > > > > > > >> > > Subject: Re: [VOTE] KIP-43: Kafka SASL
> > > > > enhancements
> > > > > > > > > > > > > > >> > > To: dev@kafka.apache.org
> > > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > > >> > > +1 (non-binding)
> > > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > > >> > > On Thu, Mar 3, 2016 at 10:37 AM, Rajini
> > > Sivaram
> > > > <
> > > > > > > > > > > > > > >> > > rajinisivaram@googlemail.com> wrote:
> > > > > > > > > > > > > > >> > >
> > > > > > > > > > > > > > >> > >> I would like to start the voting process
> > for
> > > > > > *KIP-43:
> > > > > > > > > Kafka
> > > > > > > > > > > > SASL
> > > > > > > > > > > > > > >> > >> enhancements*. This KIP extends the SASL
> > > > > > > implementation
> > > > > > > > > in
> > > > > > > > > > > > Kafka to
> > > > > > > > > > > > > > >> > support
> > > > > > > > > > > > > > >> > >> new SASL mechanisms to enable Kafka to be
> > > > > > integrated
> > > > > > > > with
> > > > > > > > > > > > different
> > > > > > > > > > > > > > >> > >> authentication servers.
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> > >> The KIP is available here for reference:
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> >
> > > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> https://cwiki.apache.org/confluence/display/KAFKA/KIP-43:+Kafka+SASL+enhancements
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> > >> And here's is a link to the discussion on
> > the
> > > > > > mailing
> > > > > > > > > list:
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> >
> > > > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > >
> > > > >
> > > >
> > >
> >
> http://mail-archives.apache.org/mod_mbox/kafka-dev/201601.mbox/%3CCAOJcB39b9Vy7%3DZEM3tLw2zarCS4A_s-%2BU%2BC%3DuEcWs0712UaYrQ%40mail.gmail.com%3E
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> > >> Thank you...
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> > >> Regards,
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> > >> Rajini
> > > > > > > > > > > > > > >> > >>
> > > > > > > > > > > > > > >> >
> > > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > Regards,
> > > > > > > > > > > > >
> > > > > > > > > > > > > Rajini
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Regards,
> > > > > > > > > >
> > > > > > > > > > Rajini
> > > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Regards,
> > > > > > > >
> > > > > > > > Rajini
> > > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Regards,
> > > > > >
> > > > > > Rajini
> > > > > >
> > > > >
> > > >
> > >
> > >
> > >
> > > --
> > > Regards,
> > >
> > > Rajini
> > >
> >
>
--
Grant Henke
Software Engineer | Cloudera
grant@cloudera.com | twitter.com/gchenke | linkedin.com/in/granthenke