...
Often, users want to extract one of the field (e.g., CN) as the principal name. CN is the commonly used field. Currently in order to customize SSL username a customized principal builder class is required. Having For this simple change, users need to build and maintain custom principal builder class and also package and deploy the jar to the all brokers. Having built-in SSL principal builder configs/rules that allows to customize SSL principal name will be useful.
...
Distinguished Name | Mapping pattern | Mapping value | mapped name |
---|---|---|---|
CN=kafka-server1, OU=KAFKA | ^CN=(.?), OU=(.?)$ | $1 | kafka-server1 |
CN=kafka1, OU=SME, O=mycp, L=Fulton, ST=MD, C=US | ^CN=(.?), OU=(.?), O=(.?), L=(.?), ST=(.?), C=(.?)$ | $1@$2 | kafka1@SME |
cn=kafka1,ou=SME,dc=mycp,dc=com | ^cn=(.?),ou=(.?),dc=(.?),dc=(.?)$ | $1 | kaffka1 |
This is a simple option and option supports single mapping pattern. This handles most of the common use cases.
...
Code Block |
---|
ssl.principal.mapping.rules= RULE:^CN=(.*?),OU=ServiceUsers.*$/$1/, RULE:^CN=(.*?), OU=(.*?), O=(.*?), L=(.*?), ST=(.*?), C=(.*?)$/$1@$2/, RULE:^cn=(.?),ou=(.?),dc=(.?),dc=(.?)$/$1@$2/L, RULE:^.*[Cc][Nn]=([a-zA-Z0-9.]*).*$/$1/L, DEFAULT |
This is option support multiple mapping patterns. This can handle few more scenarios than Option 1.
Proposed Changes
1. We will update DefaultKafkaPrincipalBuilder class to handle above proposed configuration options.
2. Proposed configuration will be applied to X500Principal distinguished name from the client certificate.
3. Proposed configuration will be ignored, if SSL client authentication is disabled. (In this case principal name is ANONYMOUS).
4. Proposed configuration will be ignored, if an extension of KafkaPrincipalBuilder is provided by the principal.builder.class configuration.
...