Hi Rajini. Thanks for the clearly-written KIP. The addition of mTLS for SASL connections makes a lot of sense. It was especially helpful that you documented the history of why we hadn’t supported this in the past and the issue related to backwards compatibility for misconfigured brokers — it was very clearly laid out. I also appreciated that you identified and rejected the possibility of supporting multiple identities and described how custom principal builders will have access to the SSLContext in order to consider the TLS authentication state when building a single principal — and how custom authorizers and quota callbacks could take mTLS into account.
Ron Ron > On Nov 9, 2020, at 6:08 AM, Rajini Sivaram <rajinisiva...@gmail.com> wrote: > > Hi all, > > I have submitted KIP-684 to support mTLS (TLS client authentication) for > SASL_SSL listeners: > > - > > https://cwiki.apache.org/confluence/display/KAFKA/KIP-684+-+Support+mutual+TLS+authentication+on+SASL_SSL+listeners > > > In security-critical deployments, TLS client authentication adds an extra > layer of security in addition to SASL-based client authentication. > > Feedback and suggestions are welcome. > > Thank you... > > Regards, > > Rajini
