Versions Compared

Old Version 4

changes.mady.by.user Raghu Baddam

Saved on

compared with

New Version 5

changes.mady.by.user Raghu Baddam

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Status

Current state: Under Discussion

...

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Introduction

KAFKA-15452 reports a bug that affects the ability of custom KafkaPrincipalBuilder implementations to access SslPrincipalMapper and kerberosShortNamer. This limits the ability to parse Regex Rules from BrokerSecurityConfigs SSL_PRINCIPAL_MAPPING_RULES_CONFIG, resulting in a lack of support for Mapping Rules as SslPrincipalMapper is null. This KIP proposes a solution to address this issue at the ChannelBuilders or SslChannelBuilder level.

Motivation

The main motivation behind this KIP is to enhance the flexibility and usability of custom KafkaPrincipalBuilder implementations by allowing them to access SslPrincipalMapper and kerberosShortNamer. This will enable support for Mapping Rules and improve the overall security configuration of Kafka brokers.

Proposed Changes

The proposed changes involve modifications to the following classes:

  • org.apache.kafka.common.network.ChannelBuilders
  • org.apache.kafka.common.network.SslChannelBuilder

ChannelBuilders

In the ChannelBuilders class, we will add a new method createPrincipalBuilder that takes an additional parameter Map<String, Object> configs:

...

This method will be used to create a custom KafkaPrincipalBuilder with access to SslPrincipalMapper and kerberosShortNamer.

SslChannelBuilder

In the SslChannelBuilder class, we will add a new method configurePrincipalBuilder that configures the custom KafkaPrincipalBuilder with SslPrincipalMapper and kerberosShortNamer:

...

This method will be called in the ChannelBuilders class to configure the custom KafkaPrincipalBuilder.

Compatibility, Deprecation, and Migration Plan

The proposed changes are fully backward-compatible and do not require any deprecations or migration efforts. Existing custom KafkaPrincipalBuilder implementations will continue to work without any modifications. However, they can be updated to utilize the new functionality if desired.

Rejected Alternatives

An alternative workaround is to read the configuration and build another SslPrincipalMapper in the custom KafkaPrincipalBuilder implementation. However, this approach is less efficient and may lead to code duplication. The proposed solution provides a more elegant and efficient way to address the issue.

Test Plan

The test plan for this KIP includes:

  1. Unit tests to ensure that the new methods in ChannelBuilders and SslChannelBuilder work as expected.
  2. Integration tests to ensure that custom KafkaPrincipalBuilder implementations can access SslPrincipalMapper and kerberosShortNamer properly.
  3. Performance tests to ensure that the proposed changes do not introduce any performance regressions.

Documentation Updates

The official Kafka documentation will be updated to reflect the new methods and their usage in custom KafkaPrincipalBuilder implementations. This includes updates to the JavaDocs and any relevant sections in the Kafka Security documentation.

...