search

grepplabs / kafka-proxy

Proxy connections to Kafka cluster. Connect through SOCKS Proxy, HTTP Proxy or to cluster running in Kubernetes.
Apache License 2.0
501 stars 87 forks source link

Implement client certificate subject validation #60

Closed radekg closed 4 years ago

radekg commented 4 years ago

This PR implements client certificate subject validation. The DN fields selected for this initial version are somewhat arbitrary but most likely the most common. This allows configuring the proxy TLS to validate the client cert subject, the Kafka Proxy operator can require specific subject to be present and contain specific values.

I have opted in for a flag per subject field to prevent requiring the user to follow any arbitrary string format. Additionally, all or none of the DN fields are explicitly required.

In a multi-tenant environment, the tenant has the ability to request certificates from a CA. The usual setup is:

Root CA -> Intermediate -> | -> Server certificate Tenant A
                           | -> Client certificate Tenant A
                           | -> Server certificate Tenant B
                           | -> Client certificate Tenant B

For security reasons, the CA operator does not allow tenants to issue an intermediate from the intermediate, this would require that the second stage intermediate allows certificate signing. With such setup, the user of Client certificate Tenant B can connect to Server Tenant A. Being able to additionally validate the subject adds a layer of security on the TLS level.

radekg commented 4 years ago

Hi @everesio, do you think it would be possible to get a feedback on this feature?

everesio commented 4 years ago

Thank you for you contribution, I will check it soon

everesio commented 4 years ago

PR looks good