...
Similar to SASL kerberos principal rules, we can have list of SSL principal mapping rules.
ssl.principal.mapping.rules: This config allows a list of rules for mapping distinguished certificate name to short principal name.
The rules are evaluated in order and the first rule that matches a principal name is used to map it to a short name.
Any later rules in the list are ignored. By default, string representation of the X.500 certificate will be the principal.
...
The format for exp is pattern/replacement/[LU]. If the string matches the pattern, then the replacement
command will be run over the string.
Check below formats for syntax. Each Each rules starts with "RULE:" and contains an expression as the following formats.
RULE:pattern/replacement/
RULE:pattern/replacement/L[LU]
DEFAULT: string representation of the X.500 certificate will be the principal.
Similar to SASL kerberos principal rules, we can also support lowercase/upper case rule, to force
the result to be all lower/upper case. This is done by adding a "/L" , "/U" to the end of the rule.
Example Rules:
Code Block |
---|
ssl.principal.mapping.rules= RULE:^CN=(.*?),OU=ServiceUsers.*$/$1/, RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/, RULE:^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$/$1@$2/, RULE:^CN=(.*?), OU=(.*?)$/$1@$2/L, DEFAULT |
This is option is more flexible and option can handle few more scenarios.
Proposed Changes
...