THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.
Status
Current state: "Under Discussion"Adopted
Discussion thread: here
JIRA: here
...
Public Interfaces
Option 1 is Rejected. : Check Rejected Alternatives section below.
...
Similar to SASL kerberos principal rules, we can also support lowercase/upper case uppercase rule, to force the result to be all lower/upper case. This is done by adding a "/L" , "/U" to the end of the rule.
...
| Code Block |
|---|
ssl.principal.mapping.rules= RULE:^CN=(.*?),OU=ServiceUsers.*$/$1/, RULE:^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$/$1@$2/, RULE:^cn=(.*?),ou=(.*?),dc=(.*?),dc=(.*?)$/$1@$2/L, RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/L, DEFAULT |
This is option supports multiple mapping patterns. Since Option 1 handles the most of the common use cases, we would like to go with Option 1 Some sample mapping patterns are given below.
| Distinguished Name | Mapping pattern | Mapping value replacement | mapped name |
|---|---|---|---|
| CN=kafka-server1, OU=KAFKA | ^CN=(.*?), OU=(.*?)$ | $1 | kafka-server1 |
| CN=kafka1, OU=SME, O=mycp, L=Fulton, ST=MD, C=US | ^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ | $1@$2 | kafka1@SME |
| cn=kafka1,ou=SME,dc=mycp,dc=com | ^cn=(.*?),ou=(.*?),dc=(.*?),dc=(.*?)$ | $1 | kaffka1kafka1 |
Notes:
Proposed mapping rules works on string representation of the X.500 distinguished name(RFC2253 format) [1].
Mapping rules can use the attribute types keywords defined in RFC 2253 (CN, L, ST, O, OU, C, STREET, DC, UID).
...
If we have the OID - key mapping ("1.2.840.113549.1.9.1", "emailAddress"), then the string will be
"CN=Duke,OU=JavaSoft,O=Sun Microsystems,C=US,emailAddress=test@test.com"
Since we don't have OID - key mapping, we can not use additional attribute type keyword string in our rules.
If the user want to extract additional attribute keys, users need to write custom principal builder class.
...
| Code Block |
|---|
ssl.principal.mapping.pattern=^CN=(.*?),OU=ServiceUsers.*$ ssl.principal.mapping.value=$1 ssl.principal.mapping.pattern=^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$ ssl.principal.mapping.value=$1@$2 ssl.principal.mapping.pattern=^CN=(.*?), OU=(.*?)$ ssl.principal.mapping.value=$1@$2 |
...