This Confluence has been LDAP enabled, if you are an ASF Committer, please use your LDAP Credentials to login. Any problems file an INFRA jira ticket please.

Child pages
  • KIP-111: Kafka should preserve the Principal generated by the PrincipalBuilder while processing the request received on socket channel, on the broker.

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  • This PrincipalBuilder API will then be used to generate a Principal using the names specified in --allow-principal and --deny-principal parameters. This Principal can be included in KafkaPrincipal using the new constructor specified above.
  • This alternative was rejected due to following reasons :
    1. Since the Principal is built using the "--principalBuilder-properties", users can only specify a particular type of Principal(s) (using --allow-principal / --deny-principal) at a time.

    2. If users want to specify multiple types of Principals, they will have to run the multiple times with different "--principalBuilder-properties", even if the Principals might have the same name. For example, we can have a service Principal with name "XYZ" and a user Principal with name "XYZ".

  • Due to above reasons, it is quite clear that it is less user friendly and not intuitive.

Alternative 2 :

  • Changes to

    • will allow to specify a custom PrincipalBuilder class using a new command line parameter "-- principalBuilder" and PrincipalBuilder configs using a new command line parameter "--principalBuilder-properties".
    • The "--allow-principal" will take list of properties as follows :

      Code Block
      bin/ ...... --principalBuilder <PrincipalBuilder-class> --principalBuilder-properties <PrincipalBuilder-properties> --add --allow-principal <principal-properties> --allow-principal <principal-properties> ...... --operations Read,Write --topic Test-topic
    • Add a new API to PrincipalBuilder :

      Code Block
      public interface PrincipalBuilder extends Configurable {
         * Build a Principal using the provided configs.
         * @param  principalConfigs  configs used to create the Principal
         * @return Principal
        Principal buildPrincipal(Map<String, ?> principalConfigs);
    • The specified PrincipalBuilder class will be responsible for building the Principal using the <principal-properties>.
    • The Principal generated by this PrincipalBuilder can then be included in KafkaPrincipal using the new constructor specified above.
    • The "--principalBuilder" and "--principalBuilder-properties" parameters are optional. If its not specified, the would still work as it does today.

  • This was rejected as per discussions on the email thread as this is a nice to have feature but there is no urgent need for this.