Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/traiana/kafka-spiffe-principal
SPIFFE based Kafka authentication
https://github.com/traiana/kafka-spiffe-principal
auth kafka spiffe
Last synced: about 1 month ago
JSON representation
SPIFFE based Kafka authentication
- Host: GitHub
- URL: https://github.com/traiana/kafka-spiffe-principal
- Owner: traiana
- License: apache-2.0
- Created: 2018-07-29T06:57:49.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2023-09-05T21:57:39.000Z (over 1 year ago)
- Last Synced: 2024-08-02T08:07:07.920Z (5 months ago)
- Topics: auth, kafka, spiffe
- Language: Java
- Homepage:
- Size: 18.6 KB
- Stars: 19
- Watchers: 9
- Forks: 6
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-spiffe-spire - Kafka SPIFFE Principal Builder
README
## Kafka SPIFFE Principal Builder
A custom `KafkaPrincipalBuilder` implementation for Apache Kafka.
This class and documentation deals only with `SslAuthenticationContext`, we do not support any other context at the moment (Kerberos, SASL, Oauth)
#### Default behavior
The default `DefaultKafkaPrincipalBuilder` class that comes with Apache Kafka builds a principal
name according to the x509 Subject in the SSL certificate. Since there is no logic that deals with *Subject Alternative Name*,
this approach cannot handle a *SPIFFE ID*.
#### New behavior
The principal builder first looks for any valid *SPIFFE ID* in the certificate, if found, the *KafkaPrincipal* that will
be returned would be seen by an *ACL Authorizer* as **SPIFFE:spiffe://some.spiffe.id.uri**. If that fails, a normal usage of the Subject will
used with a normal **USER:CN=...**