Repository: kafka Updated Branches: refs/heads/0.9.0 cdfcf2e18 -> a9395e746
KAFKA-3095: Add documentation on format of sasl.kerberos.principal.to.local.rules Add some basic documentation about the format, a link to get more detailed information and an example usage. I didn't want to make a huge section on the format since it documented elsewhere but I can expand is folks want. https://issues.apache.org/jira/browse/KAFKA-3095 Author: Tom Graves <[email protected]> Reviewers: Gwen Shapira Closes #776 from tgravescs/KAFKA-3095 (cherry picked from commit 401ae7707cf3990240544eb4575acc46a9c85017) Signed-off-by: Gwen Shapira <[email protected]> Project: http://git-wip-us.apache.org/repos/asf/kafka/repo Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/a9395e74 Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/a9395e74 Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/a9395e74 Branch: refs/heads/0.9.0 Commit: a9395e746111f43bb972a38c6c8f823407100278 Parents: cdfcf2e Author: Tom Graves <[email protected]> Authored: Mon Jan 18 10:03:47 2016 -0800 Committer: Gwen Shapira <[email protected]> Committed: Mon Jan 18 10:03:56 2016 -0800 ---------------------------------------------------------------------- .../src/main/java/org/apache/kafka/common/config/SaslConfigs.java | 3 ++- docs/security.html | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/kafka/blob/a9395e74/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java ---------------------------------------------------------------------- diff --git a/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java b/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java index ef29743..d61838f 100644 --- a/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java +++ b/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java @@ -45,7 +45,8 @@ public class SaslConfigs { public static final String SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES = "sasl.kerberos.principal.to.local.rules"; public static final String SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_DOC = "A list of rules for mapping from principal names to short names (typically operating system usernames). " + "The rules are evaluated in order and the first rule that matches a principal name is used to map it to a short name. Any later rules in the list are ignored. " + - "By default, principal names of the form {username}/{hostname}@{REALM} are mapped to {username}."; + "By default, principal names of the form {username}/{hostname}@{REALM} are mapped to {username}. " + + "For more details on the format please see <a href=\"#security_authz\"> security authorization and acls</a>."; public static final List<String> DEFAULT_SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES = Collections.singletonList("DEFAULT"); public static void addClientSaslSupport(ConfigDef config) { http://git-wip-us.apache.org/repos/asf/kafka/blob/a9395e74/docs/security.html ---------------------------------------------------------------------- diff --git a/docs/security.html b/docs/security.html index 3acbbac..90a8e18 100644 --- a/docs/security.html +++ b/docs/security.html @@ -283,6 +283,9 @@ One can also add super users in broker.properties like the following (note that By default, the SSL user name will be of the form "CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown". One can change that by setting a customized PrincipalBuilder in broker.properties like the following. <pre>principal.builder.class=CustomizedPrincipalBuilderClass</pre> By default, the SASL user name will be the primary part of the Kerberos principal. One can change that by setting <code>sasl.kerberos.principal.to.local.rules</code> to a customized rule in broker.properties. +The format of <code>sasl.kerberos.principal.to.local.rules</code> is a list where each rule works in the same way as the auth_to_local in <a href="http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html";>Kerberos configuration file (krb5.conf)</a>. Each rules starts with RULE: and contains an expression in the format [n:string](regexp)s/pattern/replacement/g. See the kerberos documentation for more details. An example of adding a rule to properly translate [email protected] to user while also keeping the default rule in place is: +<pre>sasl.kerberos.principal.to.local.rules=RULE:[1:$1@$0](.*@MYDOMAIN.COM)s/@.*//,DEFAULT</pre> + <h4><a id="security_authz_cli" href="#security_authz_cli">Command Line Interface</a></h4> Kafka Authorization management CLI can be found under bin directory with all the other CLIs. The CLI script is called <b>kafka-acls.sh</b>. Following lists all the options that the script supports: <p></p>
