You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kafka.apache.org by "Bart Van Bos (Jira)" <ji...@apache.org> on 2022/10/29 10:15:00 UTC

[jira] [Created] (KAFKA-14340) KIP-880: X509 SAN based SPIFFE URI ACL within mTLS Client Certificates

Bart Van Bos created KAFKA-14340:
------------------------------------

             Summary: KIP-880: X509 SAN based SPIFFE URI ACL within mTLS Client Certificates 
                 Key: KAFKA-14340
                 URL: https://issues.apache.org/jira/browse/KAFKA-14340
             Project: Kafka
          Issue Type: Wish
          Components: security
    Affects Versions: 3.3.1
            Reporter: Bart Van Bos


Istio and other SPIFFE based systems use clients certificates to provide workload ID. Kafka currently does support Client Cert based AuthN/Z and mapping to ACL, but only so be inspecting the CN field within a Client Certificate.

There are several POC implementations our there implementing a bespoke _KafkaPrincipalBuilder_ implementation for this purpose. Two examples include


 * [https://github.com/traiana/kafka-spiffe-principal]
 * [https://github.com/boeboe/kafka-istio-principal-builder] (written by myself)

 

This KIP request is to include this functionality into Kafka's main functionality so end-users don't need to load custom and non-vetted java classes.

The main use case for me is having a lot of istio customers that express the will to be able to leverage SPIFFE based IDs for there Kafka ACL Authorization.

 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)