Return-Path: X-Original-To: apmail-kafka-dev-archive@www.apache.org Delivered-To: apmail-kafka-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 8A8E010808 for ; Thu, 23 Jan 2014 19:08:17 +0000 (UTC) Received: (qmail 97025 invoked by uid 500); 23 Jan 2014 19:08:16 -0000 Delivered-To: apmail-kafka-dev-archive@kafka.apache.org Received: (qmail 96940 invoked by uid 500); 23 Jan 2014 19:08:16 -0000 Mailing-List: contact dev-help@kafka.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@kafka.apache.org Delivered-To: mailing list dev@kafka.apache.org Received: (qmail 96932 invoked by uid 99); 23 Jan 2014 19:08:16 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jan 2014 19:08:16 +0000 X-ASF-Spam-Status: No, hits=1.7 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of brownjoe043@gmail.com designates 74.125.82.48 as permitted sender) Received: from [74.125.82.48] (HELO mail-wg0-f48.google.com) (74.125.82.48) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Jan 2014 19:08:10 +0000 Received: by mail-wg0-f48.google.com with SMTP id x13so2011911wgg.27 for ; Thu, 23 Jan 2014 11:07:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:message-id:mime-version:subject:date:references :to:in-reply-to; bh=7zB+vUzmphiEFpEmrw218+BuAaPQcrdPBKI66vEsbBE=; b=T79VZfmUvVYZqotAYfSTNpoEsnilh32pPGexrjg4oThfeJnpUX9/sHz07CdliB/nhw kCJo0wvjtRn76JKSSratekzcLrFChNjHk83KxzN+sGcxJNcxgwCT3Irg9Wakd8XeEZFw 9QXsj0Kw8WaCD4toedEEvsVJ4CaM9CMDkATuGlRPBhv59/+NgxmHgkGRD+uqWz+/GuMb VgAYReBKv1cZwFamXgty9WkmKsadZmTdP63uJOWXud+5R+mF0yPu7G3WJPc7Dt+RnYix wZ9kAf4T6yAfxdq7q77g0qZuaO9yo6/3tYnMH26yGML360eSphEnL519x3cyBc50cj+G FxGQ== X-Received: by 10.180.182.199 with SMTP id eg7mr391964wic.13.1390504068929; Thu, 23 Jan 2014 11:07:48 -0800 (PST) Received: from [192.168.1.92] (host86-186-52-172.range86-186.btcentralplus.com. [86.186.52.172]) by mx.google.com with ESMTPSA id ey3sm1232461wib.4.2014.01.23.11.07.46 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 23 Jan 2014 11:07:47 -0800 (PST) From: Joe Brown Content-Type: multipart/alternative; boundary="Apple-Mail=_6D8D7AC3-A91A-4B02-B36D-746CD38FA056" Message-Id: Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Simple Auth and Auth Date: Thu, 23 Jan 2014 19:07:40 +0000 References: To: dev@kafka.apache.org In-Reply-To: X-Mailer: Apple Mail (2.1827) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_6D8D7AC3-A91A-4B02-B36D-746CD38FA056 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Hi All I=92ve been looking at the wiki proposal to add Auth and Auth to kafka = https://cwiki.apache.org/confluence/display/KAFKA/Security=20 In the meantime I=92ve had a recent immediate requirement to implement = something similar - my solution is detailed below - fairly quick and = dirty but achieved the desired results. At the moment the code is = branched off the 0.8-beta - though to move to 0.8.0 is trivial - the = question is when will the = https://cwiki.apache.org/confluence/display/KAFKA/Security be looked at, = if this is a ways off then I could consider creating a patch and pull = request for my code. FYI my requirements were very specific - for example no encryption of = the data, changes minimised - easy to re-apply to future releases. Authentication Authentication is achieved by passing the client=92s public certificate = along with a message, signed by the client=92s private key, every time = the client opens a connection to a broker. The underlying Apache Kafka = BlockingChannel was altered to ensure the connection is only established = on a successful authentication response from the broker.=20 The broker, to authenticate the client, first verifies the client=92s = public certificate against the issuing CA certificate held in the broker = truststore. The broker then uses the verified client=92s certificate to = verify the signed message from the client. On authentication by the = broker the successful authentication response is sent to the client. The = client DN is then registered against the client connection as trusted by = the broker. - Use of standard java.security.* and java.security.cert.* classes were = used for Authentication Authorization Authorization is controlled by the file referenced by the property = =93auth.config.path=94 configured on the broker. On broker = initialization the file is read, changes to this file will be reloaded = at intervals defined by the =93auth.file.watch.seconds" property. Both Producer (produce) and Consumer (fetch) Requests are intercepted on = the broker to check whether the client connection is authenticated and = then whether the associated client DN has the permission to read (fetch) = or write (produce) from/to the given topic. - Uses simple json config file for authorization Thoughts please? Cheers Joe= --Apple-Mail=_6D8D7AC3-A91A-4B02-B36D-746CD38FA056--