Ismael Juma commented on KAFKA-4454:

[~mgharat], thanks. That could work. Do you have some examples of fields that 
you would want your principal to pass? Generally, I think the current way we 
use `KafkaPrincipal` is a bit confusing. I created a PR[1] a while back that 
used `SimplePrincipal` for authentication and `KafkaPrincipal` for 
authorization. With the clear separation, adding a field for authorization 
purposes (like proposed here) would not affect the authentication cases.

[1] https://github.com/apache/kafka/pull/551/files

> Authorizer should also include the Principal generated by the 
> PrincipalBuilder.
> -------------------------------------------------------------------------------
>                 Key: KAFKA-4454
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4454
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions:
>            Reporter: Mayuresh Gharat
>            Assignee: Mayuresh Gharat
>             Fix For:
> Currently kafka allows users to plugin a custom PrincipalBuilder and a custom 
> Authorizer.
> The Authorizer.authorize() object takes in a Session object that wraps 
> KafkaPrincipal and InetAddress.
> The KafkaPrincipal currently has a PrincipalType and Principal name, which is 
> the name of Principal generated by the PrincipalBuilder. 
> This Principal, generated by the pluggedin PrincipalBuilder might have other 
> fields that might be required by the pluggedin Authorizer but currently we 
> loose this information since we only extract the name of Principal while 
> creating KaflkaPrincipal in SocketServer.  
> It would be great if KafkaPrincipal has an additional field 
> "channelPrincipal" which is used to store the Principal generated by the 
> plugged in PrincipalBuilder.
> The pluggedin Authorizer can then use this "channelPrincipal" to do 
> authorization.

This message was sent by Atlassian JIRA

Reply via email to