Mayuresh Gharat commented on KAFKA-4454:

[~ijuma] Thanks for pointing me to the patch. The idea of using SimplePrincipal 
looks goods OR we can add an another constructor that takes in an additional 
parameter "channelPrincipal" of type Java.Principal. 
The main change will be required in SocketServer line : 
   val session = 
and change it to :
   val session = RequestChannel.Session(new 
KafkaPrincipal(KafkaPrincipal.USER_TYPE, channel.principal.getName, 
where channel.principal() is going to return the Principal generated by the 

Regarding "Do you have some examples of fields that you would want your 
principal to pass?"
---> Our Authorizer implementation delegates to Linkedin's security infra 
team's library that creates a Java.Principal with some additional information 
form the provided client cert. This information is required by their ACL 
service to ALLOW or DENY operations. 
This is likely to be a common use case for most of the companies, that have 
custom ACL service of their own.

> Authorizer should also include the Principal generated by the 
> PrincipalBuilder.
> -------------------------------------------------------------------------------
>                 Key: KAFKA-4454
>                 URL: https://issues.apache.org/jira/browse/KAFKA-4454
>             Project: Kafka
>          Issue Type: Bug
>    Affects Versions:
>            Reporter: Mayuresh Gharat
>            Assignee: Mayuresh Gharat
>             Fix For:
> Currently kafka allows users to plugin a custom PrincipalBuilder and a custom 
> Authorizer.
> The Authorizer.authorize() object takes in a Session object that wraps 
> KafkaPrincipal and InetAddress.
> The KafkaPrincipal currently has a PrincipalType and Principal name, which is 
> the name of Principal generated by the PrincipalBuilder. 
> This Principal, generated by the pluggedin PrincipalBuilder might have other 
> fields that might be required by the pluggedin Authorizer but currently we 
> loose this information since we only extract the name of Principal while 
> creating KaflkaPrincipal in SocketServer.  
> It would be great if KafkaPrincipal has an additional field 
> "channelPrincipal" which is used to store the Principal generated by the 
> plugged in PrincipalBuilder.
> The pluggedin Authorizer can then use this "channelPrincipal" to do 
> authorization.

This message was sent by Atlassian JIRA

Reply via email to