Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 0.10.1.0
    • Fix Version/s: None
    • Component/s: security
    • Labels:
      None

      Description

      Parent ticket for security. Wiki and discussion is here:
      https://cwiki.apache.org/confluence/display/KAFKA/Security

        Issue Links

        1.
        Implement a "session" concept in the socket server Sub-task Resolved Gwen Shapira
         
        2.
        Implement TLS/SSL authentication Sub-task Resolved Sriharsha Chintalapani
         
        3.
        Implement TLS/SSL tests Sub-task Resolved Sriharsha Chintalapani
         
        4.
        Implement SASL/Kerberos Sub-task Resolved Sriharsha Chintalapani
         
        5.
        SASL unit tests Sub-task Resolved sriharsha chintalapani
         
        6.
        Add authorization interface and naive implementation Sub-task Resolved Parth Brahmbhatt
         
        7.
        add authentication layer and initial JKS x509 implementation for brokers, producers and consumer for network communication Sub-task Resolved Ivan Lyutov
         
        8.
        Add SSL support to Kafka Broker, Producer and Consumer Sub-task Resolved Sriharsha Chintalapani
         
        9.
        new java consumer needs ssl support as a client Sub-task Resolved Sriharsha Chintalapani
         
        10.
        Authenticate connection to Zookeeper Sub-task Resolved Parth Brahmbhatt
         
        11.
        Refactor brokers to allow listening on multiple ports and IPs Sub-task Resolved Gwen Shapira
         
        12.
        Create extendable channel interface and default implementations Sub-task Resolved Gwen Shapira
         
        13.
        Move kafka.network over to using the network classes in org.apache.kafka.common.network Sub-task Resolved Gwen Shapira
         
        14.
        KafkaAuthorizer: Add all public entities, config changes and changes to KafkaAPI and kafkaServer to allow pluggable authorizer implementation. Sub-task Resolved Parth Brahmbhatt
         
        15.
        KafkaAuthorizer: Add simpleACLAuthorizer implementation. Sub-task Resolved Parth Brahmbhatt
         
        16.
        KafkaAuthorizer: Add CLI for Acl management. Sub-task Resolved Parth Brahmbhatt
         
        17. Kafka Auditing functionality Sub-task Open Parth Brahmbhatt
         
        18.
        remove usage of BlockingChannel in the broker Sub-task Resolved Ismael Juma
         
        19.
        Ducktape tests for SSL/TLS Sub-task Resolved Geoff Anderson
         
        20.
        Test SSL/TLS impact on performance Sub-task Resolved Ben Stopford
         
        21.
        Use `NetworkClient` instead of `SimpleConsumer` to fetch data from replica Sub-task Resolved Ismael Juma
         
        22.
        SSL/TLS in official docs Sub-task Resolved Sriharsha Chintalapani
         
        23.
        Disable SSLv3 for ssl.enabledprotocols config on client & broker side Sub-task Resolved Ismael Juma
         
        24.
        Unauthorized clients should not be able to join groups Sub-task Resolved Jason Gustafson
         
        25.
        Run some existing ducktape tests with SSL-enabled clients and brokers Sub-task Resolved Rajini Sivaram
         
        26.
        ConsumerMetdata authorization error not returned to user Sub-task Resolved Jason Gustafson
         
        27.
        Add Test with authorizer for producer and consumer Sub-task Resolved Parth Brahmbhatt
         
        28. Metrics for SSL handshake Sub-task Open Unassigned
         
        29.
        Refactoring of ZkUtils Sub-task Resolved Flavio Junqueira
         
        30.
        Add tests for ZK authentication Sub-task Resolved Flavio Junqueira
         
        31.
        Upgrade path for ZK authentication Sub-task Resolved Flavio Junqueira
         
        32.
        Run relevant ducktape tests with SASL_PLAINTEXT and SASL_SSL Sub-task Resolved Rajini Sivaram
         
        33.
        Run mirror maker tests in ducktape with SSL and SASL Sub-task Resolved Rajini Sivaram
         
        34.
        Run replication tests in ducktape with SSL for clients Sub-task Resolved Rajini Sivaram
         
        35.
        Implement SASL/PLAIN Sub-task Resolved Rajini Sivaram
         
        36.
        SASL/Kerberos follow-up Sub-task Resolved Ismael Juma
         
        37.
        SASL authentication in official docs Sub-task Resolved Sriharsha Chintalapani
         
        38.
        Authorization section in official docs Sub-task Resolved Parth Brahmbhatt
         
        39.
        Protect passwords from logging Sub-task Resolved Jakub Nowak
         
        40.
        Improve handling of authorization failure during metadata refresh Sub-task Resolved Jason Gustafson
         
        41. Add ducktape tests for SASL/Kerberos Sub-task Open Unassigned
         
        42.
        Run relevant ducktape tests with SASL/PLAIN and multiple mechanisms Sub-task Resolved Rajini Sivaram
         
        43.
        SaslClientAuthenticator no longer needs KerberosNameParser in constructor Sub-task Resolved Ismael Juma
         
        44.
        Document ZooKeeper authentication Sub-task Resolved Flavio Junqueira
         
        45. Add group support for authorizer acls Sub-task In Progress Parth Brahmbhatt
         

          Activity

          Hide
          gwenshap Gwen Shapira added a comment -

          Note that each subtask has "fix version" in its details. This indicates which version includes the fix.

          In this case all subtasks are marked with "0.9.0.0", which is a future release. So, no existing release includes the security patches, those will be part of the next release.

          Show
          gwenshap Gwen Shapira added a comment - Note that each subtask has "fix version" in its details. This indicates which version includes the fix. In this case all subtasks are marked with "0.9.0.0", which is a future release. So, no existing release includes the security patches, those will be part of the next release.
          Hide
          zakkirkharim zakkir kharim added a comment -

          i am trying to find out whether TLS based authentication and the authorization outlined here is now part of the latest kaffa release.
          Does "Resolved" for one "subtask" means it has gone to a release ? Or all the sub tasks need to be "REsolved" only then we can expect all the code changes in the latest release?

          Show
          zakkirkharim zakkir kharim added a comment - i am trying to find out whether TLS based authentication and the authorization outlined here is now part of the latest kaffa release. Does "Resolved" for one "subtask" means it has gone to a release ? Or all the sub tasks need to be "REsolved" only then we can expect all the code changes in the latest release?
          Hide
          ijuma Ismael Juma added a comment -

          sriharsha chintalapani, thanks for the link and for making KAFKA-2162 a sub-task of this ticket.

          Show
          ijuma Ismael Juma added a comment - sriharsha chintalapani , thanks for the link and for making KAFKA-2162 a sub-task of this ticket.
          Show
          sriharsha Sriharsha Chintalapani added a comment - Ismael Juma Here it is https://issues.apache.org/jira/browse/KAFKA-2162
          Hide
          ijuma Ismael Juma added a comment -

          One of the in-scope items in the wiki page is "Auditing". Is that information up to date and if so, is there a ticket for it? All the other items seem to be covered by the subtasks associated to this ticket.

          Show
          ijuma Ismael Juma added a comment - One of the in-scope items in the wiki page is "Auditing". Is that information up to date and if so, is there a ticket for it? All the other items seem to be covered by the subtasks associated to this ticket.
          Hide
          guozhang Guozhang Wang added a comment -

          Sriharsha Chintalapani That makes sense, thanks!

          Show
          guozhang Guozhang Wang added a comment - Sriharsha Chintalapani That makes sense, thanks!
          Hide
          sriharsha Sriharsha Chintalapani added a comment -

          Guozhang Wang I don't think KAFKA-1927 should block KAFKA-1684 or KAFKA-1690. 1927 is application protocol changes its not going to affect the work done in 1684 and 1690 which is at socketchannel and network level.

          Show
          sriharsha Sriharsha Chintalapani added a comment - Guozhang Wang I don't think KAFKA-1927 should block KAFKA-1684 or KAFKA-1690 . 1927 is application protocol changes its not going to affect the work done in 1684 and 1690 which is at socketchannel and network level.
          Hide
          guozhang Guozhang Wang added a comment -

          Jun Rao I am wondering if KAFKA-1927 needs to be done before KAFKA-1684 or can be done in parallel?

          Show
          guozhang Guozhang Wang added a comment - Jun Rao I am wondering if KAFKA-1927 needs to be done before KAFKA-1684 or can be done in parallel?
          Hide
          junrao Jun Rao added a comment -

          3. The SSL work is now being done in KAFKA-1690, on top of the network code in o.a.k.c.n.

          Show
          junrao Jun Rao added a comment - 3. The SSL work is now being done in KAFKA-1690 , on top of the network code in o.a.k.c.n.
          Hide
          sriharsha Sriharsha Chintalapani added a comment - - edited

          Also
          5. KAFKA-1688(Authorization), by Parth Brahmbhatt , depending on KAFKA-1684 & KAFKA-1686

          Show
          sriharsha Sriharsha Chintalapani added a comment - - edited Also 5. KAFKA-1688 (Authorization), by Parth Brahmbhatt , depending on KAFKA-1684 & KAFKA-1686
          Hide
          junrao Jun Rao added a comment -

          Just so that everyone knows the sequencing and who is working on what. The following is a summary of the jiras that are being actively worked on.

          1. KAFKA-1809 (multi-port), by Gwen Shapira.
          2. KAFKA-1928 (reuse network code in o.a.k.c.n in server), by Gwen Shapira, depending on KAFKA-1809.
          3. KAFKA-1684 (SSL), by Sriharsha Chintalapani, depending on KAFKA-1928.
          4. KAFKA-1686 (SASL), by Sriharsha Chintalapani, depending on KAFKA-1928.

          Show
          junrao Jun Rao added a comment - Just so that everyone knows the sequencing and who is working on what. The following is a summary of the jiras that are being actively worked on. 1. KAFKA-1809 (multi-port), by Gwen Shapira . 2. KAFKA-1928 (reuse network code in o.a.k.c.n in server), by Gwen Shapira , depending on KAFKA-1809 . 3. KAFKA-1684 (SSL), by Sriharsha Chintalapani , depending on KAFKA-1928 . 4. KAFKA-1686 (SASL), by Sriharsha Chintalapani , depending on KAFKA-1928 .

            People

            • Assignee:
              Unassigned
              Reporter:
              jkreps Jay Kreps
            • Votes:
              27 Vote for this issue
              Watchers:
              71 Start watching this issue

              Dates

              • Created:
                Updated:

                Development