kafka-jira mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guozhang Wang (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (KAFKA-3186) KIP-50: Move Authorizer and related classes to separate package.
Date Sat, 23 Sep 2017 04:49:06 GMT

     [ https://issues.apache.org/jira/browse/KAFKA-3186?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Guozhang Wang updated KAFKA-3186:

*Reminder to the contributor / reviewer of the PR*: please note that the code deadline for
1.0.0 is less than 2 weeks away (Oct. 4th). Please re-evaluate your JIRA and see if it still
makes sense to be merged into 1.0.0 or it could be pushed out to 1.1.0, or be closed directly
if the JIRA itself is not valid any more, or re-assign yourself as contributor / committer
if you are no longer working on the JIRA.

> KIP-50: Move Authorizer and related classes to separate package.
> ----------------------------------------------------------------
>                 Key: KAFKA-3186
>                 URL: https://issues.apache.org/jira/browse/KAFKA-3186
>             Project: Kafka
>          Issue Type: Improvement
>    Affects Versions:
>            Reporter: Ashish Singh
>            Assignee: Ashish Singh
>             Fix For: 1.0.0
> [KIP-50|https://cwiki.apache.org/confluence/display/KAFKA/KIP-50+-+Move+Authorizer+to+a+separate+package]
has more details.
> Kafka supports pluggable authorization. Third party authorizer implementations allow
existing authorization systems like, Apache Sentry, Apache Ranger, etc to extend authorization
to Kafka as well. Implementing Kafka's authorizer interface requires depending on kafka's
core, which is huge. This has been already raised as a concern by Sentry, Ranger and Kafka
community. Even Kafka clients require duplication of authorization related classes, like Resource,
Operation, etc, for adding ACLs CRUD APIs.
> Kafka authorizer is agnostic of principal types it supports, so are the acls CRUD methods
in Authorizer interface. The intent behind is to keep Kafka principal types pluggable, which
is really great. However, this leads to Acls CRUD methods not performing any check on validity
of acls, as they are not aware of what principal types Authorizer implementation supports.
This opens up space for lots of user errors, KAFKA-3097 is an instance.

This message was sent by Atlassian JIRA

View raw message