Replies: 1 comment 4 replies
-
The User Operator bases the username on the name of the Configuring the |
Beta Was this translation helpful? Give feedback.
4 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
When using externally generated client certificates to authorize cluster access that have (example format: User:CN=user.company.com,OU=unknown) and setting the Principal for a Topic to anything beyond the "CN=" portion of the principal, the ACLs evaluate this and deny the access to that topic. If we use only a client certificate with a principal of only "CN=" within the certificate, the ACLs allow access.
Per Confluent's docs, the default TLS/SSL is to use DN (distinguished Name) in the form of "CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown". So I would have expected this to be utilized with default settings.
https://docs.confluent.io/platform/current/kafka/authorization.html#tls-ssl-principal-user-names
Is there a method to allow the User Operator to evaluate past the "CN=" portion of the principal?
Is being able to edit
ssl.principal.mapping.rules
config possible? This [Enhancement) leads me to believe this is not possible.Beta Was this translation helpful? Give feedback.
All reactions