This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • KIP-111: Kafka should preserve the Principal generated by the PrincipalBuilder while processing the request received on socket channel, on the broker.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • This PrincipalBuilder API will then be used to generate a Principal using the names specified in --allow-principal and --deny-principal parameters. This Principal can be included in KafkaPrincipal using the new constructor specified above.
  • This alternative was rejected due to following reasons :
    1. Since the Principal is built using the "--principalBuilder-properties", users can only specify a particular type of Principal(s) (using --allow-principal / --deny-principal) at a time.

    2. If users want to specify multiple types of Principals, they will have to run the kafka-acls.sh multiple times with different "--principalBuilder-properties", even if the Principals might have the same name. For example, we can have a service Principal with name "XYZ" and a user Principal with name "XYZ".

  • Due to above reasons, it is quite clear that it is less user friendly and not intuitive.

Alternative 2 :

  • Changes to kafka-acls.sh

    • Kafka-acls.sh will allow to specify a custom PrincipalBuilder class using a new command line parameter "-- principalBuilder" and PrincipalBuilder configs using a new command line parameter "--principalBuilder-properties".
    • The "--allow-principal" will take list of properties as follows :

      Code Block
      languagejava
      themeMidnight
      bin/kafka-acls.sh ...... --principalBuilder <PrincipalBuilder-class> --principalBuilder-properties <PrincipalBuilder-properties> --add --allow-principal <principal-properties> --allow-principal <principal-properties> ...... --operations Read,Write --topic Test-topic
    • Add a new API to PrincipalBuilder :

      Code Block
      languagejava
      themeMidnight
      public interface PrincipalBuilder extends Configurable {
      ...
      
        /**
         * Build a Principal using the provided configs.
         *
         * @param  principalConfigs  configs used to create the Principal
         * @return Principal
         */
        Principal buildPrincipal(Map<String, ?> principalConfigs);
      
      ...
      }
    • The specified PrincipalBuilder class will be responsible for building the Principal using the <principal-properties>.
    • The Principal generated by this PrincipalBuilder can then be included in KafkaPrincipal using the new constructor specified above.
    • The "--principalBuilder" and "--principalBuilder-properties" parameters are optional. If its not specified, the Kafka-acls.sh would still work as it does today.

  • This was rejected as per discussions on the email thread as this is a nice to have feature but there is no urgent need for this.

...