THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
| Table of Contents |
|---|
Status
Current state: Under Discussion Adopted
Discussion thread: here
JIRA:
| Jira | ||||||
|---|---|---|---|---|---|---|
|
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
| Code Block |
|---|
interface PrincipalBuilder extends Configurable {
void configure(Map<String, ?> configs);
Principal buildPrincipal(TransportLayer transportLayer, Authenticator authenticator) throws KafkaException;
void close() throws KafkaException;
} |
...
At the moment, the Principal derived from the PrincipalBuilder is converted to a KafkaPrincipal before being passed to the Authorizer.
...
The KafkaPrincipal
...
object is distinguished primarily by the fact that it has a principal type, which is always set to "User" when converting from a Principal.
...
The Authorizer
...
implementation depends
...
on KafkaPrincipal
...
indirectly through the following objects:
| Code Block |
|---|
case class Session(principal: KafkaPrincipal, clientAddress: InetAddress)
case class Acl(principal: KafkaPrincipal, permissionType: PermissionType, host: String, operation: Operation) |
In this KIP, we aim to solve two primary problems with the current PrincipalBuilder interface:
- The
PrincipalBuilderis currently only used for SSL authentication. We want to extend it to SASL mechanisms in general including GSSAPI. This includes unifying the Kerberos name translation rules. - Due to the conversion from
PrincipaltoKafkaPrincipal,a customAuthorizerimplementation cannot leverage any enrichment provided at the authentication layer in a convenient way. For example, if the authorizer had a notion of groups, it might be reasonable to derive a group id from the client certificate OU field. In that case, the principal builder would have to pack that group id into the principal name to pass it through to theAuthorizer. This might be reasonable for just one additional field, but it would be more general and much more convenient to pass through the enrichedPrincipalall the way toAuthorizer. (Note this is the problem which was trying to be solved in KIP-111.)
Additionally, the interface has a couple shortcomings from an API perspective that we want to address:
- There is no use case that we are aware of which requires access to the
Authenticatordirectly. The closest use case would be the SASL authenticator, but what we actually need is theSaslServer. Furthermore, there is an odd circular dependence between thePrincipalBuilderand theAuthenticator:Authenticatorexposes aprincipal()method which uses thePrincipalBuilderby passing itself as the second parameter. - There is no use case that we are aware of which requires the
TransportLayeritself. What client SSL authentication actually needs is access to theSSLSessionwhich is provided by the JRE. Hence we are unnecessarily exposing Kafka internals.
...
To address these problems, we propose first to introduce a new AuthenticationContext interface to encapsulate the authentication state needed to derive the principal. Initially we expose a single method methods to get the underlying security protocol in use and the client address.
| Code Block |
|---|
interface AuthenticationContext {
String securityProtocolName();
SecurityProtocolInetAddress protocolclientAddress();
} |
There will be two implementations of this interface exposed: SslAuthenticationContext and SaslAuthenticationContext. These expose the respective state needed to derive the Principal.
...
Both
PrincipalBuilder and KafkaPrincipalBuilder will be exposed through the principal.builder.class configuration.To avoid confusion when using extensions of
KafkaPrincipal, we intend to deprecate and eventually remove the static fromString method since it only supports construction of KafkaPrincipal instances.Rejected Alternatives
Another option to add support for SASL might be to modify the SaslServerAuthenticator to use the existing PrincipalBuilder. This allows us to write a custom PrincipalBuilder such as the following:
...