This is an automated email from the ASF dual-hosted git repository.
chia7712 pushed a commit to branch 4.0
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/4.0 by this push:
new 22d79b203ae KAFKA-18919 Clarify that KafkaPrincipalBuilder classes
must also implement KafkaPrincipalSerde (#19104)
22d79b203ae is described below
commit 22d79b203ae291e65513353a8f7f8e68a5ea57d7
Author: S.Y. Wang <[email protected]>
AuthorDate: Wed Mar 5 22:25:09 2025 +0900
KAFKA-18919 Clarify that KafkaPrincipalBuilder classes must also implement
KafkaPrincipalSerde (#19104)
In KRaft mode, custom KafkaPrincipalBuilder instances must implement
KafkaPrincipalSerde. This PR updates all related documentation to highlight
this requirement.
Reviewers: Ken Huang <[email protected]>, David Jacot
<[email protected]>, TengYao Chi <[email protected]>, Chia-Ping Tsai
<[email protected]>
---
.../apache/kafka/common/config/internals/BrokerSecurityConfigs.java | 4 +++-
.../org/apache/kafka/common/security/auth/KafkaPrincipalBuilder.java | 4 ++++
docs/zk2kraft.html | 5 +++++
3 files changed, 12 insertions(+), 1 deletion(-)
diff --git
a/clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
b/clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
index 0b26733f0c4..a8947ede154 100644
---
a/clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
+++
b/clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
@@ -79,7 +79,9 @@ public class BrokerSecurityConfigs {
"name from the client certificate if one is provided; otherwise,
if client authentication is not required, " +
"the principal name will be ANONYMOUS. For SASL authentication,
the principal will be derived using the " +
"rules defined by <code>" +
SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG + "</code> if GSSAPI is in use, "
+
- "and the SASL authentication ID for other mechanisms. For
PLAINTEXT, the principal will be ANONYMOUS.";
+ "and the SASL authentication ID for other mechanisms. For
PLAINTEXT, the principal will be ANONYMOUS. " +
+ "Note that custom implementations of
<code>KafkaPrincipalBuilder</code> is required to implement
<code>KafkaPrincipalSerde</code> " +
+ "interface, otherwise brokers will not be able to forward requests
to the controller.";
public static final String SSL_CLIENT_AUTH_CONFIG = "ssl.client.auth";
public static final String SSL_CLIENT_AUTH_DEFAULT =
SslClientAuth.NONE.toString();
diff --git
a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipalBuilder.java
b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipalBuilder.java
index 941d3b12102..ec4317268d1 100644
---
a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipalBuilder.java
+++
b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipalBuilder.java
@@ -23,6 +23,10 @@ package org.apache.kafka.common.security.auth;
* Note that the {@link org.apache.kafka.common.Configurable} and {@link
java.io.Closeable}
* interfaces are respected if implemented. Additionally, implementations must
provide a
* default no-arg constructor.
+ *
+ * Note that custom implementations of {@link KafkaPrincipalBuilder}
+ * must also implement {@link KafkaPrincipalSerde}, otherwise brokers will not
be able to
+ * forward requests to the controller.
*/
public interface KafkaPrincipalBuilder {
/**
diff --git a/docs/zk2kraft.html b/docs/zk2kraft.html
index fc3a9155ebe..f2df5505a05 100644
--- a/docs/zk2kraft.html
+++ b/docs/zk2kraft.html
@@ -248,6 +248,11 @@
(<code>create.topic.policy.class.name</code> and
<code>alter.config.policy.class.name</code>) on the controller.
<p>Note: If migrating from ZooKeeper mode, ensure policy JARs are
moved from brokers to controllers.</p>
</li>
+ <li>
+ <strong>Custom implementations of
<code>KafkaPrincipalBuilder</code></strong>:
+ In KRaft mode, custom implementations of
<code>KafkaPrincipalBuilder</code> must also implement
<code>KafkaPrincipalSerde</code>; otherwise brokers will not be able to
+ forward requests to the controller.
+ </li>
</ul>
</div>
<!--#include virtual="../includes/_footer.htm" -->
