this is a quick and dirty test you can use:
org.apache.kafka.common.network.SSLSelectorTest: //Truststore needs to contain keystore/cert that contains the actual principal you will use File trustStoreFile = File.createTempFile("truststore", ".jks"); Map<String, Object> sslServerConfigs = org.apache.kafka.test.TestSslUtils.createSslConfig(false, true, Mode.SERVER, trustStoreFile, "server"); //supply PrinicpalBuilder java class name to sslServer "principal.builder.class" sslServerConfigs.put(org.apache.kafka.common.config.SslConfigs.PRINCIPAL_BUILDER_CLASS_CONFIG, Class.forName(SslConfigs.DEFAULT_PRINCIPAL_BUILDER_CLASS)); //default class is "org.apache.kafka.common.security.auth.DefaultPrincipalBuilder" try { this.server = new org.apache.kafka.common.network.EchoServer(sslServerConfigs); } catch(org.apache.kafka.common.KafkaException excp) { log.debug("SslSelectorTest::setup LINE 55 new EchoServer throws KafkaException message="+excp.getMessage()); } try { this.server.start(); this.time = new org.apache.kafka.common.utils.MockTime(); //create client SSLconfig Map<String, Object> sslClientConfigs sslClientConfigs = org.apache.kafka.test.TestSslUtils.createSslConfig(false, false, Mode.SERVER, trustStoreFile, "client"); this.channelBuilder = new org.apache.kafka.common.network.SslChannelBuilder(org.apache.kafka.common.network.Mode.CLIENT); this.channelBuilder.configure(sslClientConfigs); this.metrics = new org.apache.kafka.common.Metrics(); this.selector = new org.apache.kafka.common.network.Selector(5000, metrics, time, "MetricGroup", new LinkedHashMap<String, String>(), channelBuilder); } catch(NullPointerException npe) { log.debug("SslSelectorTest::setup LINE 67 throws NPE message="+npe.getMessage()); } //if group is not specified or null throw NPE /* display attributes to ascertain principal name public void authorize(){ System.out.println("\n" + "*** Credential Information ***"); // get privateCredential Set // Obtaining user information javax.security.auth.Subject subject=new javaz.security.auth.Subject(); Set credentials = subject.getPrivateCredentials(); // display credential information Iterator iterator = credentials.iterator(); while (iterator.hasNext()) { Object credential = iterator.next(); // this credential identify login user if (credential instanceof ISAuthorizationCredential){ ISAuthorizationCredential isCredential = (ISAuthorizationCredential) credential; System.out.println("AuthorizationCredential=" + isCredential.getEncryptedCredential()); System.out.println("Dn=" + isCredential.getDN()); System.out.println("Uid=" + isCredential.getUID()); //display roles: Set roles = isCredential.getRoles(); if (roles != null) { Iterator ite = roles.iterator(); while(ite.hasNext()){ System.out.println("Role=" + ite.next()); } } System.out.println("ClientAddress=" + isCredential.getClientAddress()); System.out.println("AuthMethod=" + isCredential.getAuthMethod()); System.out.println("AuthTime=" + isCredential.getAuthTime()); System.out.println("Expiration=" + isCredential.getExpiration()); } } System.out.println("\n" + "*** Principals Information ***"); // display principal information // Obtaining user information Set principals = subject.getPrincipals(); iterator = principals.iterator(); while (iterator.hasNext()) { Principal principal = (Principal)iterator.next(); System.out.println("Principal=" + principal.getName()); } System.out.println("\n" + "*** Execute PrivilegedAction ***"); // Privileged operation execute by the attested authority. // Executing authorization thru custom Java action to collect username/pwd PrivilegedAction myAction = new ISSsoAction(); subject.doAs(subject, myAction); } //end authorize http://www.fujitsu.com/downloads/SFTWR/manual/fm_e/b23j37jh0/b1wn4881/01/b1wn488101enz2.pdf /* IF you have to create a new URLConnection thru a proxy you can use something like public class DelegateHttpsURLConnection extends com.sun.net.ssl.internal.www.protocol.https.DelegateHttpsURLConnection*/ DelegateHttpsURLConnection delegate = new DelegateHttpsURLConnection((java.net.URL)url,(java.net.Proxy)p, (sun.net.www.protocol.https.Handler)handler,(sun.net.protocol.https.HttpsURLConnectionImpl)this ); /*** Returns the principal with which the server authenticated itself or throw a SSLPeerUnverifiedException if the server did not authenticate.*/ /* works as long as public interface Principal extends java.security.Principal */ Principal principal=delegate.getPeerCertificate() if(principal!=null) log.debug("peer certificate name="+delegate.getPeerCertificate().getName()); //if peerPrincipal did not authenticate check Local Principal if(delegate.getLocalPrincipal()!=null) log.debug("principal name="+delegate.getLocalPrincipal().getName()); //throw Exception ..it really is that simple.. M- ________________________________ From: Mayuresh Gharat <gharatmayures...@gmail.com> Sent: Wednesday, November 30, 2016 12:51 PM To: users@kafka.apache.org Subject: Re: Writing a customized principal builder for authorization "principal.builder.class" is the name of the property. Thanks, Mayuresh On Wed, Nov 30, 2016 at 9:30 AM, <gharatmayures...@gmail.com> wrote: > Hi Kriti, > > You will have to implement the Principal Builder interface and provide the > full class path in broker config. I don't remember the exact config name > right now, but you can search for some config by name > "principalbuilder.class" in the broker configs. > > Once you do this, Kafka will automatically use your custom > PrincipalBuilder class for generating the principal. > > The buildPrincipal() function in the PrincipalBuilder is where you will > have to create the your custom Principal class object ( This custom > principal class should implement Java principal interface) and this custom > principal.getname() can return whatever name you want. > > Let me know if this helps. > > Thanks, > > Mayuresh > > > > Sent from my iPhone > > > On Nov 29, 2016, at 11:40 PM, Kiriti Sai <kiriti163.i...@gmail.com> > wrote: > > > > Hi, > > Can anyone help me or point me to any resources that can be of help for > > writing a customized principal builder to use in Authorization using > ACLs? > > I've enabled SSL authentication scheme for both clients and brokers but I > > would like to change the principal name to just the original name and > > Organizational unit instead of the complete defiant principal name for > SSL. > > > > Thanka in advance for the help. > -- -Regards, Mayuresh R. Gharat (862) 250-7125