Versions Compared

Old Version 14

changes.mady.by.user Harsha

Saved on

compared with

New Version 15

changes.mady.by.user Ismael Juma

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Minor typo and whitespace fixes.

...

  • Channel wrapper for TransportLayer and AuthenticationLayer providing necessary handshake and authentication methods and also read(ByteBuffer buf) , write(ByteBuffer buf), write(ByteBuffer[] buf).
  • TransportLayer is an interface for network transportLayer.
  • PlainTextTransportLayer provides plain text socket channel methods
  • SSLTransportLayer providers provides ssl handshake and read/write methods.
  • Authenticator is an interface to providing  providing client/server authentication.
  • SaslServerAuthenticationLayer implements AuthenticationLayer, provides  provides authentication methods for server side.
  • SaslClientAuthenticationLayer implements AuthenticationLayer, provides client side authentication.


  • User: This class will be used to get the remoteUserId and add it to the Session Object (https://issues.apache.org/jira/browse/KAFKA-1683)
  • KafkaPrincipalToLocalPlugin: This is a pluggable class with a default implementation which translates a kerberos principal which looks like "testuser/node1.test.com@EXAMPLE.COM" to "testuser". Users can provide a their own customized version of PrincipalToLocalPlugin.
  • AuthUtils: This class will consists of any utilities needed for SASL and other auth related methods.
  • KerberosLoginFactory:  It will use jaas config to login and generates a subject. 
  • Protocol accepts the protocol type (PLAINTEXT, SSL , PLAINTEXT+SASL,  SSL+SASL)
    • PLAINTEXT (non-authenticated, non-encrypted)
      • This channel will provide exact behavior for communication channels as previous releases
    • SSL
      •  SSL  implementation. Authenticated principal in the session will be from the certificate presented or the peer host. 
    • SASL+PLAINTEXT
      • SASL authentication will be used over plaintext channel. Once the sasl authentication established between client and server . Session will have client’s principal as authenticated user. There won’t be any wire encryption in this case as all the channel communication will be over plain text .
    • SASL+SSL

      • SSL will be established initially and  SASL authentication will be done over SSL. Once SASL authentication is established users principal will be used as authenticated user .  This option is useful if users want to use SASL authentication ( for example kerberos ) with wire encryption.

          

         

  • SecurityConfig , a config file for provider SecurityProtocol,  SSL config and SASL mechanisms.
  • BlockingChannel interface changes as it accepts the Protocol to create appropriate channels.

...