[improve][broker] PIP-485: Configurable mTLS principal mapping (SAN sources and DN mapping rules)#26021
Open
PavelZeger wants to merge 6 commits into
Open
[improve][broker] PIP-485: Configurable mTLS principal mapping (SAN sources and DN mapping rules)#26021PavelZeger wants to merge 6 commits into
PavelZeger wants to merge 6 commits into
Conversation
…ces and DN mapping rules)
…SAN sources and DN mapping rules)" This reverts commit 911a0c3.
…ces and DN mapping rules) Add a PIP proposing configurable identity extraction (CN/DN/SAN) and Kafka-style declarative mapping rules in AuthenticationProviderTls, keeping today's CN-only behavior as the default.
PavelZeger
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Pulsar's built-in TLS auth provider (
AuthenticationProviderTls, inpulsar-broker-common) derives a client's role only from the certificate's first Common Name (CN), and the extraction is hardcoded; if the CN is empty or missing, authentication fails outright. That is a poor fit for two increasingly commondeployments:
OU,emailAddress, or the full DN) and re-issuing certificates just to populate the CN isn't practical.spiffe://...) and the CN is intentionally empty — those certificates are rejected today even though they carry a valid, cryptographically-bound identity.Apache Kafka solves this declaratively with
ssl.principal.mapping.rules(KIP-371). Pulsar has no equivalent for its built-in provider, and writing a customAuthenticationProvideris a high bar for what should be a few lines of config.Modifications
This PR adds the PIP-484 design document (
pip/pip-484.md) for community discussion and vote. It contains no code changes.The proposal describes two backward-compatible config options for
AuthenticationProviderTls:tlsCertIdentitySource— choose the raw identity:CN(default),DN, orSAN:URI|DNS|EMAIL.tlsAuthPrincipalMappingRules— an ordered list of Kafka-styleRULE:/DEFAULTmapping rules.With both unset, behavior is identical to today (first CN, fail on empty CN). The document also covers the proxy config plumbing, new auth-failure error codes, security considerations, and upgrade/rollback compatibility.
Verifying this change
This change is a trivial rework / code cleanup without any test coverage.
Does this pull request potentially affect one of the following parts: