Versions Compared

Old Version 23

changes.mady.by.user Manikumar Reddy O.

Saved on

compared with

New Version 24

changes.mady.by.user Manikumar Reddy O.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This option supports single mapping pattern. This handles the common use cases.

Notes:

Proposed mapping rules works on string representation of the X.500 distinguished name(RFC2253 format) [1].
Mapping rules can use the attribute types keywords defined in RFC 2253 (CN, L, ST, O, OU, C, STREET, DC, UID).

Any additional/custom attribute types are emitted as OIDs. To emit additional attribute type keys,
we need to have OID -> attribute type keyword String mapping.[2]

For example, String representation of X500Principal("CN=Duke, OU=JavaSoft, O=Sun Microsystems, C=US, EMAILADDRESS=test@test.com")
will be "CN=Duke,OU=JavaSoft,O=Sun Microsystems,C=US,1.2.840.113549.1.9.1=#160d7465737440746573742e636f6d"

If we have the OID - key mapping ("1.2.840.113549.1.9.1", "emailAddress"), then the string will be
"CN=Duke,OU=JavaSoft,O=Sun Microsystems,C=US,emailAddress=test@test.com"

Since we are not passing this mapping, we can not use additional attribute type keyword string in our rules.
If the user want to extract additional attribute keys, need to write custom principal builder class.

 [1] https://docs.oracle.com/javase/7/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String) 

 [2] https://docs.oracle.com/javase/7/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String,%20java.util.Map)

Option 2:

Similar to SASL kerberos principal rules, we can have list of SSL principal mapping rules.

...


This is option supports multiple mapping patterns. This can handle few more scenarios than Option 1. 

Proposed Changes

1. We will update DefaultKafkaPrincipalBuilder class to handle above proposed configuration options.

2. Proposed mapping rules works on string representation of the X.500 distinguished name(RFC2253 format) [1].  Mapping rules can use the attribute types keywords defined in RFC 2253 (CN, L, ST, O, OU, C, STREET, DC, UID).Any additional/custom attribute types are emitted as OIDs. Since we need to have OID -> attribute type keyword String  mapping, we can not use these additional attribute type keyword strings in our rules. If the user want to extract additional attribute keys, then we need to write custom principal builder class.

3. Proposed configuration will be ignored, if SSL client authentication is disabled. (In this case principal name is ANONYMOUS).

4. Proposed configuration will be ignored, if an extension of KafkaPrincipalBuilder is provided by the principal.builder.class configuration.[1] https://docs.oracle.com/javase/7/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String) 
[2] https://docs.oracle.com/javase/7/docs/api/javax/security/auth/x500/X500Principal.html#getName(java.lang.String,%20java.util.Map)

Compatibility, Deprecation, and Migration Plan

...