Skip to content

0.13.0

Compare
Choose a tag to compare
@mstruk mstruk released this 11 Jul 20:13
· 20 commits to main since this release

Main Changes since 0.12.x

KeycloakAuthorizer has been added that supports both Zookeeper and KRaft mode

While KeycloakRBACAuthorizer can still be used in Zookeeper mode, for the future you should migrate your configuration to use KeycloakAuthorizer.

As part of supporting KRaft mode the grants mapping logic has changed slightly. Rather than using the access token as a unit of grant, the user id is now used. This results in better sharing of the grants between sessions of the same user, and should also reduce the number of grants held in cache, and the number of refresh requests to the Keycloak server.

Additional configuration options have been added:

  • strimzi.authorization.grants.max.idle.time.seconds specifies the time after which an idle grant in the cache can be evicted
  • strimzi.authorization.grants.gc.period.seconds specifies a time between consecutive runs of the grants cache garbage collection job

Also, the option strimzi.authorization.reuse.grants now defaults to true, and no longer to false.

Global option strimzi.oauth.metric.reporters has been added to supersede metric.reporters in OAuth metrics

To avoid double instantiation of metric reporters that only expect to work as singletons, metric.reporters option is no longer used by OAuth metrics.
If the new strimzi.oauth.metric.reporters is not set, OAuth metrics will still instantiate a default org.apache.kafka.common.metrics.JmxReporter if any OAuth metrics are enabled.
In order to install some other metric reporter in addition to JmxReporter both have to be listed.
Also, the suggested way to configure it on the Kafka broker is to set it as env variable, rather than a property in server.properties file.

Fixed JsonPath handling of null in a query when attribute was missing

This change introduces a backwards incompatible change in how queries using equals or not equals comparison to null are handled when the targeted attribute is not present.

Examples of affected queries as used in oauth.custom.claim.check:

  • "@.missing == null"
  • "@.missing != null"

Principal extraction from nested username claim was added

It is now possible to use JsonPath query to target nested attributes when extracting a principal. In order to use JsonPath start your claim specification with opening square bracket [.

For example:

oauth.username.claim="['user.info'].['user.id']"
oauth.fallback.username.claim="['user.info'].['client.id']"

For more details about the new features see the RELEASE_NOTES.md and the README.md. All changes can be found under the 0.13.0 milestone.