This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • KIP-282: Add the listener name to the authentication context
Skip to end of metadata
Go to start of metadata

Status

Current state: Adopted

Discussion thread: here [Change the link from the KIP proposal email archive to your own email thread]

JIRA: KAFKA-6750

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Currently when building a Principal, the builder has access to an AuthenticationContext which contains the security protocol as well as the client address. However since 0.10.2.0 Kafka can have multiple listeners for the same security protocol using listener names (listener.security.protocol.map). While we can identify the source of the connection using the client address, having the listener name would make it simpler as IPs/networks can change and it currently requires to parse the client IP.

Public Interfaces

A new public method will be added to AuthenticationContext:

/**
 * Name of the listener used for the connection
 */
String listenerName();

 

As well as to all the existing implementations: PlaintextAuthenticationContext, SslAuthenticationContext and SaslAuthenticationContext.

That will return the String value (value()) of the ListenerName used by the connection. For example, with the following configuration:

listener.security.protocol.map=CLIENT:SASL_PLAINTEXT,REPLICATION:PLAINTEXT,INTERNAL_SASL:SASL_PLAINTEXT
advertised.listeners=CLIENT://cluster1.foo.com:9092,REPLICATION://broker1.replication.local:9093,INTERNAL_SASL://broker1.local:9094
listeners=CLIENT://192.1.1.8:9092,REPLICATION://10.1.1.5:9093,INTERNAL_SASL://10.1.1.5:9094


For a client connecting to:

  • 192.1.1.8:9092, it will return "CLIENT"
  • 10.1.1.5:9093, it will return "REPLICATION"
  • 10.1.1.5:9094, it will return "INTERNAL_SASL"

Compatibility, Deprecation, and Migration Plan

No compatibility, deprecation, migration plan required.


Rejected Alternatives

If there are alternative ways of accomplishing the same thing, what were they? The purpose of this section is to motivate why the design is the way it is and not some other way.

 

 

  • No labels