[Enhancement]: Improved KafkaUser naming to cover external TLS certs #10356
Comments
mattaltberg
changed the title
|
That is not supported because it would not match the name of the KafkaUser resource anymore and that can lead to all kind of problems and increased complexity. You should either use certificates with matching subjects or you can use a custom principal builder like this to remove the additional details from the usernames of your users. You can also disable the USer Operator and manage the users completely on your own. |
|
@scholzj what does the user operator actually do? Can you point me towards its source code? I'm fine with managing users on my own! |
|
The User Operator manages the users, their credentials, ACLs, and quotas. |
|
Out of curiosity ... do you have the non-CN part of the certificate the same for all users? Or does it differ? |
|
In this very specific case, they happen to be the same (I only have two users, one is a super user). But ideally it would work when they're not the same |
|
Triaged on the Community call on 8.8.2024: This seems to come up from time to time. So it might make sense to support it. But it should have a proposal to discuss how it will work and how the API will look like. In particular:
|
|
Ideally, I could somehow link |
|
@mattaltberg I think the important part is that you need to be able to easily identify the corresponding KafkaUser from the username. This is important when you reconcile the various sources of information to link them together and decide that for example a particular ACL belongs to a particular KafkaUser or that it does not belong to anyone and should be deleted. My expectation is that you can for example have the additional parts of the username specified either globally as a User Operator configuration option (if one set would apply to all users) or for example even in the In any case, the details should be part of the proposal (https://github.com/strimzi/proposals):
|
|
@scholzj yeah, that essentially sounds like what I meant (I don't know the workings of the KafkaUser resource), but the idea revolved around keeping the functionality behind Are you already working on the proposal? |
|
As an aside, I ended up using Conduktor Console to manage the cluster's ACLs (plus the UI is awesome) |
No, I'm not working on it and right now I do not plan to work on it. |
|
Please stop spamming random issues! You should read the Strimzi and Kafka docs (which I'm pretty sure cover this) and search the previously asked questions in discussions. And if that does not help you can ask on one of the available channels: https://github.com/strimzi/strimzi-kafka-operator?tab=readme-ov-file#getting-help -> And you should include full logs and configurations you tried so that people who might try to answer your question know how far you got and what actually doesn't work for you. |
Related problem
I need to add a KafkaUser to my cluster, but the client's incoming certificate includes organization, state, and country. I'm able to add a super user with all this information in the format of
CN=<>,O=<>,ST=<>,C=<>, but the KafkaUser operator fails under the same naming convention.Suggested solution
Allow specifying extra details that come in from client's TLS certificates, like Organization, STate, and Country.
Alternatives
Adding the user as a superUser in the main cluster spec
Additional context
The KafkaUser currently adds a new User with
CN=<name-of-kafka-user-in-metadata>, and since this works with super users, there must be a way to do it as a regular KafkaUser.The text was updated successfully, but these errors were encountered: