THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Often, users want to extract one of the field (e.g., CN) as the principal name. CN is the commonly used field. Currently in order to customize SSL username a customized principal builder class is required. For this simple change, users need to build and maintain custom principal builder class and also package and deploy the jar to the all brokers. Having built-in SSL principal builder configs/rules that allows to customize SSL principal name will be useful.
Public Interfaces
We are proposing the following options in the order of preference.
Option 1:
Add new configuration parameter pair of the form:
...
This option supports single mapping pattern. This handles the common use casescase.
Notes:
Proposed mapping rules works on string representation of the X.500 distinguished name(RFC2253 format) [1].
Mapping rules can use the attribute types keywords defined in RFC 2253 (CN, L, ST, O, OU, C, STREET, DC, UID).
...
Proposed Changes
1. We will update DefaultKafkaPrincipalBuilder class to handle above proposed configuration options.
2. Proposed mapping rules works on string representation of the X.500 distinguished name(RFC2253 format)
3. Proposed configuration will be ignored, if SSL client authentication is disabled. (In this case principal name is ANONYMOUS).
4. Proposed configuration will be ignored, if an extension of KafkaPrincipalBuilder is provided by the principal.builder.class configuration.
Compatibility, Deprecation, and Migration Plan
There won't be any change of current behavior. By default, string representation of the X.500 certificate will be returned.
Rejected Alternatives
Option 2:
Similar to SASL kerberos principal rules, we can have list of SSL principal mapping rules.
ssl.principal.mapping.rules: This This config allows a list of rules for mapping distinguished name to short principal name. The rules are evaluated in order and the first rule that matches a principal name is used to map it to a short name.
Any later rules in the list are ignored. By default, string representation of the X.500 certificate will be the principal.
The possible values are:
RULE:exp The The principal name will be formulated from exp.
The format for exp is is pattern/replacement/[LU]. If If the string matches the pattern, then the replacement command will be run over the string.
...
RULE:pattern/replacement/
RULE:pattern/replacement/[LU]
DEFAULT: string string representation of the X.500 certificate will be the principal.
...
This is option supports multiple mapping patterns.
Proposed Changes
1. We will update DefaultKafkaPrincipalBuilder class to handle above proposed configuration options.
2. Proposed mapping rules works on string representation of the X.500 distinguished name(RFC2253 format)
3. Proposed configuration will be ignored, if SSL client authentication is disabled. (In this case principal name is ANONYMOUS).
4. Proposed configuration will be ignored, if an extension of KafkaPrincipalBuilder is provided by the principal.builder.class configuration.
Compatibility, Deprecation, and Migration Plan
There won't be any change of current behavior. By default, string representation of the X.500 certificate will be returned.
Rejected Alternatives
Since Option 1 handles the common use case, we would like to got with Option 1.