[
https://issues.apache.org/jira/browse/KAFKA-9933?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17098850#comment-17098850
]
kaushik srinivas commented on KAFKA-9933:
-----------------------------------------
Hi
[~ijuma]
We see when SASL (GSSAPI) and SSL both are turned ON, the kerberos principal
name only is being validated for the ACLs. Even when the ssl certificate based
principal name was not given ACLs, but with proper kerberos based name ACLs
created, clients are working fine.
Is this behavior expected, as in SASL is given precendence for ACLs check with
both SSL AND SASL is enabled.
thanks a lot in advance
kaushik
> Need doc update on the AclAuthorizer when SASL_SSL is the protocol used.
> ------------------------------------------------------------------------
>
> Key: KAFKA-9933
> URL: https://issues.apache.org/jira/browse/KAFKA-9933
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Reporter: kaushik srinivas
> Priority: Critical
>
> Hello,
> Document on the usage of the authorizer does not speak about the principal
> being used when the protocol for the listener is chosen as SASL + SSL
> (SASL_SSL).
> Suppose kerberos and ssl is enabled together, will the authorization be based
> on the kerberos principal names or on the ssl certificate DN names ?
> There is no document covering this part of the use case.
> This needs information and documentation update.
> Thanks,
> Kaushik.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
