search

strimzi / strimzi-kafka-operator

Apache Kafka® running on Kubernetes
https://strimzi.io/
Apache License 2.0
4.77k stars 1.27k forks source link

[Enhancement]: Improved KafkaUser naming to cover external TLS certs #10356

Open mattaltberg opened 2 months ago

mattaltberg commented 2 months ago

Related problem

I need to add a KafkaUser to my cluster, but the client's incoming certificate includes organization, state, and country. I'm able to add a super user with all this information in the format of CN=<>,O=<>,ST=<>,C=<>, but the KafkaUser operator fails under the same naming convention.

Suggested solution

Allow specifying extra details that come in from client's TLS certificates, like Organization, STate, and Country.

Alternatives

Adding the user as a superUser in the main cluster spec

Additional context

The KafkaUser currently adds a new User with CN=<name-of-kafka-user-in-metadata>, and since this works with super users, there must be a way to do it as a regular KafkaUser.

scholzj commented 2 months ago

That is not supported because it would not match the name of the KafkaUser resource anymore and that can lead to all kind of problems and increased complexity.

You should either use certificates with matching subjects or you can use a custom principal builder like this to remove the additional details from the usernames of your users.

You can also disable the USer Operator and manage the users completely on your own.

mattaltberg commented 2 months ago

@scholzj what does the user operator actually do? Can you point me towards its source code? I'm fine with managing users on my own!

scholzj commented 2 months ago

The User Operator manages the users, their credentials, ACLs, and quotas.

scholzj commented 2 months ago

Out of curiosity ... do you have the non-CN part of the certificate the same for all users? Or does it differ?

mattaltberg commented 2 months ago

In this very specific case, they happen to be the same (I only have two users, one is a super user). But ideally it would work when they're not the same

scholzj commented 1 month ago

Triaged on the Community call on 8.8.2024: This seems to come up from time to time. So it might make sense to support it. But it should have a proposal to discuss how it will work and how the API will look like. In particular:

mattaltberg commented 1 month ago

Ideally, I could somehow link CN=<KafkaUserResourceName> with the rest of the certificate's attributes defined elsewhere in the KafkaUser resource (maybe as a separate annotation for each certificate field)

scholzj commented 1 month ago

@mattaltberg I think the important part is that you need to be able to easily identify the corresponding KafkaUser from the username. This is important when you reconcile the various sources of information to link them together and decide that for example a particular ACL belongs to a particular KafkaUser or that it does not belong to anyone and should be deleted.

My expectation is that you can for example have the additional parts of the username specified either globally as a User Operator configuration option (if one set would apply to all users) or for example even in the .spec.authentication section. And you would append them to the CN=<KafkaUserResourceName>. The CN=<KafkaUserResourceName> is key because when reading the ACLs, you can basically parse the username, get the CN=<KafkaUserResourceName> out of it again and you know what KafkaUser resource it belongs to. It is of course not completely trivial as the added parts might change nd you would need to update all the ACLs or Quotas. But without the CN=<KafkaUserResourceName>, you won't be able to establish the link in the first place, so I think that is a required prerequisite.

In any case, the details should be part of the proposal (https://github.com/strimzi/proposals):

mattaltberg commented 1 month ago

@scholzj yeah, that essentially sounds like what I meant (I don't know the workings of the KafkaUser resource), but the idea revolved around keeping the functionality behind CN=<>, but somehow allowing the additional info to be used.

Are you already working on the proposal?

mattaltberg commented 1 month ago

As an aside, I ended up using Conduktor Console to manage the cluster's ACLs (plus the UI is awesome)

scholzj commented 1 month ago

Are you already working on the proposal?

No, I'm not working on it and right now I do not plan to work on it.

scholzj commented 2 days ago

Please stop spamming random issues! You should read the Strimzi and Kafka docs (which I'm pretty sure cover this) and search the previously asked questions in discussions. And if that does not help you can ask on one of the available channels: https://github.com/strimzi/strimzi-kafka-operator?tab=readme-ov-file#getting-help -> And you should include full logs and configurations you tried so that people who might try to answer your question know how far you got and what actually doesn't work for you.