Hi Hongshun Wang, Thanks for the update-no worries about the delay. Whenever you have time, I'd appreciate your comments.
Best regards, SeungMin Lee 2025년 8월 28일 (목) 오후 9:12, Hongshun Wang <[email protected]>님이 작성: > Hi SeungMin, > > Thank you for your excellent work on this proposal. The community has a > strong demand for this functionality. I sincerely apologize for the delay > in reviewing your FIP because I am busy recently. I will do it in next week. > > Best > Hongshun > > 2025年8月24日 15:25,SeungMin Lee <[email protected]> 写道: > > > > Hi, dev > > > > I have updated the FIP-7 proposal based on the feedback. The document has > > been expanded to include: > > > > 1. > > > > A plan for securing both *external (client-to-server)* and *internal > > (coordinator↔tablet server)* communications with Kerberos. > > 2. > > > > An enhanced test plan that includes *integration tests using a > MiniKDC*, > > a standard approach also used by projects like Kafka and Pulsar. > > > > > > [1]: > > > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=373885589 > > > > Best regards, > > SeungMin Lee > > > > 2025년 7월 22일 (화) 오전 2:12, SeungMin Lee <[email protected]>님이 작성: > > > >> Hi Wang Chen, > >> > >> Yes, Kafka and Pulsar both support internal authentication, and we > believe > >> Fluss also should support the same. We're starting with client-server > >> Kerberos auth first, and plan to add intra-cluster authentication (e.g., > >> coordinator ↔ tablet) as future work, which will also be added in the > >> proposal FIP-7. > >> > >> Best regards, > >> SeungMin Lee > >> > >> > >> On 2025/07/21 05:43:28 Wang Cheng wrote: > >>> Hi Lee, > >>> > >>> > >>> How about authentication between the coordinator and tablet servers? Do > >> we have an intra-cluster membership encryption/authentication plan? > >>> > >>> > >>> > >>> Regards, > >>> Cheng > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> > >>> ------------------ Original ------------------ > >>> From: > >> "dev" > >> < > >> [email protected]>; > >>> Date: Sun, Jul 20, 2025 03:49 PM > >>> To: "dev"<[email protected]>; > >>> > >>> Subject: [DISCUSS] FIP-7: Support Kerberos Authentication via > >> SASL/GSSAPI > >>> > >>> > >>> > >>> Hi all, > >>> > >>> Currently, Fluss supports SASL/PLAIN authentication and ACL-based > >>> authorization, but lacks support for Kerberos-based authentication. > This > >>> makes it difficult for enterprises with existing Kerberos > infrastructure > >> to > >>> adopt Fluss securely. > >>> > >>> This proposal introduces a new SASL mechanism, GSSAPI, to enable > >>> Kerberos-based mutual authentication between Fluss clients and servers. > >> The > >>> implementation leverages Java's built-in GSSAPI and JAAS APIs to > validate > >>> Kerberos service tickets, and integrates with Fluss’s pluggable > >>> authentication framework and ACL-based authorization layer. Only > external > >>> client-server communication is affected; internal RPCs (e.g., > coordinator > >>> <-> tablet server) remain unauthenticated by default. > >>> > >>> > >>> This is my first FIP proposal, so any feedback, suggestions, or > comments > >> — > >>> big or small — are truly welcome. > >>> While I may not know all the answers immediately, I’ll do my best to > >> study, > >>> research, and respond thoughtfully. > >>> > >>> > >>> [1]: > >>> > >> > https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=373885589 > >>> > >>> Best regards, > >>> SeungMin Lee > >
