Hey everyone,
I see that we have certificate based authentication in this commit
<https://github.com/apache/bookkeeper/commit/8e0bd2c3d81b522e97434d8646915f36422a104b>
.
We also provide a extensibility for 'authorization' by implementing our own
AuthZ factory which extends bookieAuthProvider.
However, to implement authorization, we need a configurable role based
authorization based on certain attributes in the certificates.
Usually, we've seen this done in 2 days.
1. Have the role attributes in the 'OU' field of the 'Subject' field of the
certificate.
This is a dump of the SUBJECT field from bookkeeper-server/src/test/
resources/server-cert.pem
CN=apache.bookkeeper.org
O=Dummy
L=San Francisco
S=CA
C=US
2. Have role attributes using SPIFFE in the Extended SAN's section of the
certificate.
Something as simple as the following:
*spiffe://internal-key-service/v1/service={service}/namespace={namespace}/*
*Where service the can be Pulsar brokers, Herddb clients etc, namespace can
be cluster name/id. SPIFFE provides extensibility with more levels of
abstraction that can be added.*
*Having this sort of certificate based AuthZ will enable us to set granular
control on what bookkeeper clients can access, or even something simple as
allow read only for certain clients etc.*
*I was wondering if we have plans for anything like this or if the upstream
consumers are interested in this.*
*Regards,*
*Anup*
