THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Often, users want to extract one of the field (e.g., CN) as the principal name. CN is the commonly used field. Currently in order to customize SSL username a customized principal builder class is required. For this simple change, users need to build and maintain custom principal builder class and also package and deploy the jar to the all brokers. Having built-in SSL principal builder configs/rules that allows to customize SSL principal name will be useful.
Public Interfaces
Option 1 :
Add new configuration parameter pair of the form:
is Rejected. Check Rejected Alternatives section below.
Option 2:
Similar to SASL kerberos principal rules, we can have list of SSL principal mapping rules.ssl.principal.mapping.pattern=^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$
ssl.principal.mapping.value=$1
For the pattern portion of the pairing, regular expression syntax is used to parse the original identity into components. The value portion of the pairing uses these parsed components in variable substitution format to build the translated version of the identity.
So a login with "CN=localhost, OU=OrgUnit, DC=Company" matches with pattern above and the mapping value $1 is applied. The principal name will normalized to "localhost".
rules: This config allows a list of rules for mapping distinguished name to short principal name. The rules are evaluated in order and the first rule that matches a principal name is used to map it to a short name.
Any later rules in the list are ignored. By default, string representation of the X.500 certificate will be the principal.
The possible values are:
RULE:exp The principal name will be formulated from exp.
The format for exp is pattern/replacement/[LU]. If the string matches the pattern, then the replacement command will be run over the string.
Each rules starts with "RULE:" and contains an expression as the following formats.
RULE:pattern/replacement/
RULE:pattern/replacement/[LU]
DEFAULT: string representation of the X.500 certificate will be the principal.
Similar to SASL kerberos principal rules, we can also support lowercase/upper case rule, to force the result to be all lower/upper case. This is done by adding a "/L" , "/U" to the end of the rule.
Example RulesExamples:
| Code Block |
|---|
ssl.principal.mapping.patternrules= RULE:^CN=(.*?),OU=ServiceUsers.*$ ssl.principal.mapping.value=$1 ssl.principal.mapping.pattern=/$1/, RULE:^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ ssl.principal.mapping.value=$1@$2 ssl.principal.mapping.pattern=^CN=(.*?), OU=(.*?)$ ssl.principal.mapping.value=$1@$2/$1@$2/, RULE:^cn=(.?),ou=(.?),dc=(.?),dc=(.?)$/$1@$2/L, RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/L, DEFAULT |
This is option supports multiple mapping patterns. Since Option 1 handles the most of the common use cases, we would like to go with Option 1.
| Distinguished Name | Mapping pattern | Mapping value | mapped name |
|---|---|---|---|
| CN=kafka-server1, OU=KAFKA | ^CN=(.?), OU=(.?)$ | $1 | kafka-server1 |
| CN=kafka1, OU=SME, O=mycp, L=Fulton, ST=MD, C=US | ^CN=(.?), OU=(.?), O=(.?), L=(.?), ST=(.?), C=(.?)$ | $1@$2 | kafka1@SME |
| cn=kafka1,ou=SME,dc=mycp,dc=com | ^cn=(.?),ou=(.?),dc=(.?),dc=(.?)$ | $1 | kaffka1 |
...
Notes:
Proposed mapping rules works on string representation of the X.500 distinguished name(RFC2253 format) [1].
Mapping rules can use the attribute types keywords defined in RFC 2253 (CN, L, ST, O, OU, C, STREET, DC, UID).
...
There won't be any change of current behavior. By default, string representation of the X.500 certificate will be returned.
Rejected Alternatives
Option 2:1:
Add new configuration parameter pair of the form:
ssl.principal.mapping.pattern=^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$Similar to SASL kerberos principal rules, we can have list of SSL principal mapping rules.
ssl.principal.mapping.rules: This config allows a list of rules for mapping distinguished name to short principal name. The rules are evaluated in order and the first rule that matches a principal name is used to map it to a short name.
Any later rules in the list are ignored. By default, string representation of the X.500 certificate will be the principal.
The possible values are:
RULE:exp The principal name will be formulated from exp.
The format for exp is pattern/replacement/[LU]. If the string matches the pattern, then the replacement command will be run over the string.
Each rules starts with "RULE:" and contains an expression as the following formats.
RULE:pattern/replacement/
RULE:pattern/replacement/[LU]
DEFAULT: string representation of the X.500 certificate will be the principal.
Similar to SASL kerberos principal rules, we can also support lowercase/upper case rule, to force the result to be all lower/upper case. This is done by adding a "/L" , "/U" to the end of the rule.
value=$1
For the pattern portion of the pairing, regular expression syntax is used to parse the original identity into components. The value portion of the pairing uses these parsed components in variable substitution format to build the translated version of the identity.
So a login with "CN=localhost, OU=OrgUnit, DC=Company" matches with pattern above and the mapping value $1 is applied. The principal name will normalized to "localhost".
ExamplesExample Rules:
| Code Block |
|---|
ssl.principal.mapping.rulespattern= RULE:^CN=(.*?),OU=ServiceUsers.*$/$1/, RULE: ssl.principal.mapping.value=$1 ssl.principal.mapping.pattern=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$/$1@$2/, RULE:^cn=(.?),ou=(.?),dc=(.?),dc=(.?)$/$1@$2/L, RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/L, DEFAULT ssl.principal.mapping.value=$1@$2 ssl.principal.mapping.pattern=^CN=(.*?), OU=(.*?)$ ssl.principal.mapping.value=$1@$2 |
This option supports single mapping pattern. This handles the common use case.
For consistency and flexibility reasons, we will be going with option 2This is option supports multiple mapping patterns. Since Option 1 handles the most of the common use cases, we would like to go with Option 1.