Conversation
k-wall
force-pushed
the
k-wall-patch-2
branch
from
9e9432f to
a839c2e
Compare
Signed-off-by: Keith Wall <kwall@apache.org>
k-wall
force-pushed
the
k-wall-patch-2
branch
from
a839c2e to
a49d74a
Compare
|
|
||
| For the initial release, the filter will need to support only namespacing for consumer group names and transactional ids. There will be scope for the filter to support prefixing of topic resources, but this won’t be supported in the initial release. | ||
|
|
||
| This proposal will deliver a simple implementation of the API that simply uses the principal as the prefix. |
There was a problem hiding this comment.
Which Principal? Does it support SASL and TLS? authorizationId implies it's SASL oriented, I think the proposal should talk about this.
There was a problem hiding this comment.
Given #79 (comment), I think the mapper will accept the Subject and they'll be configuration saying what Principal type should be accessed from the Subject. If the Principal isn't present, it'll fail.
| ```java | ||
| interface ResourceNameMapper { | ||
| /** Return a mapping of downstream names to upstream names. */ | ||
| CompletionStage<Map<String, String>> mapDownstreamResourceNames(String authorizationId, ResourceType resourceType, List<String> downstreamResourceNames); |
There was a problem hiding this comment.
what would happen if there is no SASL transaction for a connection? Is authorizationId nullable? Or does the Filter not do any resource mapping if there is no authorizationId?
There was a problem hiding this comment.
I think it only makes sense to use this filter when a filter has been established on the channel.
|
I said on the sync call, I'll iterate on the APIs in a PR then update the proposal. |
Signed-off-by: Keith Wall <kwall@apache.org>
|
|
||
| The role of the Resource Isolation filter is to give the client the impression of a private kafka cluster space that is isolated from other clients sharing the cluster. Namespacing can be applied selectively to different resource types. | ||
|
|
||
| The filter will use a pluggable API to determine how to map the name of each resource. Operations that retrieve lists of resources will see only those that fall within the namespace. |
There was a problem hiding this comment.
Will the Filter fail-closed if it encounters new versions of RPCs? I think we've decided this in the PR but would be good to update the design. Like the Authz Filter I think this one needs to modify ApiVersions response data to only advertise supported RPCs, and fail explosively if we recieve an RPC version that the Filter doesn't know how to handle. We should only let through RPC versions that either carry no entity information, or the Filter knows how to mutate that version.
3 participants
Proposes the introduction of a "Resource Isolation Filter" to Kroxylicious's core filters.
The role of the Resource Isolation Filter is to give the client a private space within the kafka cluster space that is isolated from other users sharing the cluster. Namespacing can be applied selectively to different resource types. This allows the possibility for some resource types (probably topics) to be shared between users while others (consumer group names and transactional ids) are private.