Hi Chris,
Thanks for the KIP. Could you also add details/use-cases for
having X509 certificate based authentication in the context SASL_SSL.
The reason that we disabled the SSL auth for SASL_SSL is the intent behind
using SASL auth over SSL encryption and user can enforce a
role based auth and have wire encryption for data transfer. If users just
want SSL based authentication they have option to do so via SSL.
I think we are providing too many options of authentication in SASL_SSL
mode and can be bit confusing.
Thanks,
Harsha
On Tue, Feb 21, 2017 at 11:23 AM Christopher Shannon <
[email protected]> wrote:
Hi everyone
I have just created KIP-127 to introduce custom JAAS configuration for the
SSL channel:
*
https://cwiki.apache.org/confluence/display/KAFKA/KIP-127%3A+Pluggable+JAAS+LoginModule+configuration+for+SSL
<
https://cwiki.apache.org/confluence/display/KAFKA/KIP-127%3A+Pluggable+JAAS+LoginModule+configuration+for+SSL
>*
The idea here is to be able to do custom authentication based off of a
user's X509 credentials in addition to the SSL handshake.
I have created a rough draft of a commit to give an idea of what my plan is
which matches the KIP:
https://github.com/cshannon/kafka/tree/KAFKA-4784
It still needs some work (needs more tests for example) but I wanted to get
some feedback before I went any farther on this and do a pull request.
Thanks,
Chris
