You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kafka.apache.org by "Bart Van Bos (Jira)" <ji...@apache.org> on 2022/10/29 10:15:00 UTC
[jira] [Created] (KAFKA-14340) KIP-880: X509 SAN based SPIFFE URI ACL within mTLS Client Certificates
Bart Van Bos created KAFKA-14340:
------------------------------------
Summary: KIP-880: X509 SAN based SPIFFE URI ACL within mTLS Client Certificates
Key: KAFKA-14340
URL: https://issues.apache.org/jira/browse/KAFKA-14340
Project: Kafka
Issue Type: Wish
Components: security
Affects Versions: 3.3.1
Reporter: Bart Van Bos
Istio and other SPIFFE based systems use clients certificates to provide workload ID. Kafka currently does support Client Cert based AuthN/Z and mapping to ACL, but only so be inspecting the CN field within a Client Certificate.
There are several POC implementations our there implementing a bespoke _KafkaPrincipalBuilder_ implementation for this purpose. Two examples include
* [https://github.com/traiana/kafka-spiffe-principal]
* [https://github.com/boeboe/kafka-istio-principal-builder] (written by myself)
This KIP request is to include this functionality into Kafka's main functionality so end-users don't need to load custom and non-vetted java classes.
The main use case for me is having a lot of istio customers that express the will to be able to leverage SPIFFE based IDs for there Kafka ACL Authorization.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)