Proposal: Support for Custom Authentication Type in Kafka Clients #148
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| # Support for Custom Authentication Type in Kafka Clients | ||
| ## Current situation | ||
| Strimzi currently supports several standard authentication mechanisms for Kafka clients, including: | ||
| - TLS-based authentication | ||
| - SASL mechanisms such as `scram-sha-256`, `scram-sha-512`, `plain`, and `oauth` | ||
| These mechanisms cover a wide range of use cases, but there is no built-in capability for users who need highly customized authentication logic. | ||
| ## Motivation | ||
| Organizations may have unique security requirements that cannot be addressed by the existing authentication mechanisms. These requirements may involve integrating with proprietary security systems, leveraging custom token-based schemes, or handling complex credential management. | ||
| By providing support for custom authentication types, Strimzi will enable users to supply their own authentication logic while maintaining compatibility with Kafka security standards. | ||
| ### Benefits: | ||
| - Greater flexibility for organizations with custom security requirements. | ||
| - Reduced need for workarounds when integrating with non-standard authentication systems. | ||
| - Better alignment with enterprise security architectures. | ||
| ## Proposal | ||
| ### Introduction | ||
| The proposal introduces a new Kafka client authentication type called `custom`. This type allows users to specify a fully qualified class name of a custom `AuthenticateCallbackHandler` implementation to handle their specific authentication logic. | ||
| ### Configuration | ||
| The configuration for the custom authentication would look like this: | ||
| ```yaml | ||
| authentication: | ||
| type: custom | ||
| customCallbackClass: com.example.kafka.auth.MyCustomAuthHandler | ||
| ``` | ||
| ### Key Changes | ||
| 1. **New Class:** `KafkaClientAuthenticationCustom` | ||
|
There was a problem hiding this comment. you should be clear that it's going to be part of the api module |
||
| - Defines the `custom` authentication type. | ||
| - Includes a property `customCallbackClass` for specifying the custom handler. | ||
| 2. **Volume and Secret Handling:** | ||
| - No volumes or secrets will be automatically mounted for the custom authentication type. | ||
| - Users are responsible for managing any required resources. | ||
|
There was a problem hiding this comment. This is fine, but you should still explain how will the users do it -> the answer here is using the additional volumes through the |
||
| 3. **Validation:** | ||
| - Strimzi will ensure the `customCallbackClass` property is provided and correctly formatted. | ||
|
There was a problem hiding this comment. what does exactly mean "correctly formatted"? |
||
| ## Affected/not affected projects | ||
| ### Affected | ||
| - **Cluster Operator:** Will require changes to handle the `custom` authentication type. | ||
| - **API:** New class and CRD validation for `KafkaClientAuthenticationCustom`. | ||
| - **Documentation:** Updated guidance for configuring and using custom authentication. | ||
| ### Not affected | ||
| - Kafka Brokers (custom logic is client-side). | ||
|
There was a problem hiding this comment. I don't think this is relevant here. Brokers are anyway part of Apache Kafka project so not within Strimzi and a Strimzi proposal can't have any effect on Apache Kafka. |
||
| - User Operator. | ||
|
There was a problem hiding this comment. I would also remove this one, otherwise the Topic Operator would be here as well. |
||
| ## Compatibility | ||
| This proposal maintains backward compatibility by introducing an additional authentication option. Existing configurations using standard authentication mechanisms remain unaffected. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
other than just configuring, you should explain that a user has to bake an image by adding the jar including the handler class, right?