THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
This page is meant as a template for writing a KIP. To create a KIP choose Tools->Copy on this page and modify with your content and replace the heading with the next KIP number and a description of your issue. Replace anything in italics with your own description.
Status
Current state: "Under Discussion"
...
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
KafkaPrincipal is formed from the name of the principal received from the underlying channel.
...
Often, users want to extract one of the field (e.g., CN) as the principal name. Currently in order to
customize SSL username a customized principal builder class is required. Having built-in
SSL principal builder configs/rules that allows to customize SSL principal name will be useful.
Public Interfaces
We are proposing the following options in the order of preference.
Option 1:
Add new configuration parameter pair of the form:
...
For the pattern portion of the pairing, regular expression syntax is used to parse the original identity into components.
The value portion of the pairing uses these parsed components in variable substitution format to build the translated version of the identity.
Above example, we only want to extract the CN part of the Subject and use it as the principal name of the client.
For the distinguished name "CN=userName, OU=OrgUnit, DC=Company", above pattern returns "userName" as the principal name.
This is a simple option and handles most of the common use cases.
Option 2:
Similar to SASL kerberos principal rules, we can have list of SSL principal mapping rules.
...
1. We will update DefaultKafkaPrincipalBuilder to handle above proposed configuration options.
2. Proposed configuration will be applied to X500Principal distinguished name from the client certificate.
3. Proposed configuration will be ignored, if SSL client authentication is disabled. (In this case principal name is ANONYMOUS).
4. Proposed configuration will be ignored, if an extension of KafkaPrincipalBuilder is provided by the principal.builder.class configuration.
Compatibility, Deprecation, and Migration Plan
There won't be any change of current behavior. By default, string representation of the X.500 certificate will be returned.
Rejected Alternatives