You are viewing a plain text version of this content. The canonical link for it is here.

Posted to jira@kafka.apache.org by "ASF GitHub Bot (JIRA)" <ji...@apache.org> on 2018/05/17 13:55:00 UTC

[jira] [Commented] (KAFKA-6912) Add authorization tests for custom principal types

    [ https://issues.apache.org/jira/browse/KAFKA-6912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16479087#comment-16479087 ] 

ASF GitHub Bot commented on KAFKA-6912:
---------------------------------------

rajinisivaram opened a new pull request #5030: KAFKA-6912: Add test for authorization with custom principal types
URL: https://github.com/apache/kafka/pull/5030
 
 
   
   ### Committer Checklist (excluded from commit message)
   - [ ] Verify design and implementation 
   - [ ] Verify test coverage and CI build status
   - [ ] Verify documentation (including upgrade notes)
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Add authorization tests for custom principal types
> --------------------------------------------------
>
>                 Key: KAFKA-6912
>                 URL: https://issues.apache.org/jira/browse/KAFKA-6912
>             Project: Kafka
>          Issue Type: Task
>          Components: core
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>            Priority: Major
>             Fix For: 2.0.0
>
>
> KIP-290 proposes to add prefixed-wildcarded principals to enable ACLs to be configured for groups of principals. This doesn't work with all security protocols - e.g. SSL principals are of format CN=name,O=org,C=country where prefixes don't fit in terms of grouping. Kafka currently doesn't support the concept of user groups, but it is possible to use custom KafkaPrincipalBuilders to generate group principals during authentication. By default, Kafka generates principals of type User, but custom types (e.g. Group) are supported. This does currently have the restriction ACLs may be defined only at group level (cannot combine both user & group level ACLs for a connection), but it works currently for all security protocols.
> We don't have any tests that verify custom principal types and authorization based on custom principal types. It will be good to add some tests.
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)