Christopher, It is definitely worth writing this up and starting a discussion on the dev list. A KIP is required if there are changes to public interfaces or configuration. I imagine this will require some config changes and hence if you can write up a small KIP, that will be useful for discussion.
Regards, Rajini On Mon, Feb 13, 2017 at 1:17 PM, Christopher Shannon < christopher.l.shan...@gmail.com> wrote: > Thanks for the response Rajini. > > It might be nice to support both but really I just need a mechanism to get > hold of the client credentials when using SSL and then to do some extra > custom authentication processing with the credentials. I was thinking > that to do this it would make sense to optionally allow the configuration > of a custom JAAS LoginModule to be used when authentication with SSL so > that authenticaiton logic could be plugged in. (just like the SASL SSL > channel allows a configurable LoginModule) The credentials could then be > obtained with the help of a X509 CallbackHandler. Also if a login module > is configured then it could return the principal instead of having to write > a custom principal builder class. > > I am happy to work on a pull request for this change. I'm not sure if a > change like this would require a KIP but I can start a dev list thread to > see what others think. > > > On Mon, Feb 13, 2017 at 7:10 AM, Rajini Sivaram <rajinisiva...@gmail.com> > wrote: > > > Christopher, > > > > SSL client authentication is currently disabled when SASL_SSL is used, so > > it is not possible to use client certificate credentials with SASL_SSL. > Are > > you expecting to authenticate clients using certificates as well as using > > SASL? Or do you just need some mechanism to get hold of the client > > credentials with SSL? > > > > Regards, > > > > Rajini > > > > On Fri, Feb 10, 2017 at 5:46 PM, Christopher Shannon < > > christopher.l.shan...@gmail.com> wrote: > > > > > I need to create a custom JAAS module for authentication but I need to > > pass > > > client certificate credentials as the principal. SASL_SSL mode has > > support > > > for a JAAS module but from looking at the source code there doesn't > > appear > > > to be a way to pass SSL client credentials to the module. The only > > > callback handlers are for username/password and for kerberos. However, > > the > > > SSL mode can extract a principal from the client certificate but when > > using > > > SSL without SASL there appears to be no way to plug in a JAAS module. > > > > > > So it seems that I am looking for kind of a combination of SSL and > > SASL_SSL > > > modes. Is there anyway to configure out the box what I am trying to do > > or > > > is this going to require a code change? I can work on a pull request if > > > necessary. > > > > > >