Yes, by default, we take the full ssl certificate attributes as the user name. This may not be suitable for ACL. We do allow the ssl user name to be customized through PrincipalBuilder. You can define a customized PrincipalBuilder and pass that in through "principal.builder.class". The customized PrincipalBuilder can extract just the user attribute in the ssl certificate.
Thanks, Jun On Mon, Nov 2, 2015 at 1:19 AM, <lukasz.debowc...@nordea.com> wrote: > Hi, > > My company is currently looking at Kafka as message broker. One of key > aspects is security. I'm currently looking at authentication/authorization > mechanisms in Kafka 0.9.0.0-SNAPSHOT. We have decided that SSL based > authentication/authorization will be sufficient for us at the begging. > We have managed to get mechanism working, but I have couple of questions: > > > 1) In page > https://cwiki.apache.org/confluence/display/KAFKA/Security#Security-Authorization > you are describing username extraction mechanism like this: "When the > client authenticates using SSL, the user name will be the first element in > the Subject Alternate Name field of the client certificate.". I found it > isn't implemented in current Kafka sources . Will it be implemented in the > future? > > 2) I found that currently username is a concatenation of standard > certificate fields and it looks like this: > "CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown". It's ok > for us, but it turned out that kafka.admin.AclCommand don't accept username > containing commas, as they are used in list of users. To get it working I > had to change kafka.admin.AclCommand to accept commas in a username. The > question is: am I doing something wrong or is it an unfinished feature? > > Kind regards > Łukasz Dębowczyk >
