Hi all,

I'd like to start the vote on PIP-485: *Configurable mTLS principal mapping
(SAN sources and DN mapping rules)*.


The PIP makes identity extraction in the built-in TLS auth provider
(AuthenticationProviderTls) configurable, instead of the current hardcoded
"first CN wins" behavior. It adds two options:

- tlsCertIdentitySource: CN (default), DN, or SAN:URI / SAN:DNS / SAN:EMAIL
- tlsAuthPrincipalMappingRules: an ordered list of Kafka-style
RULE:/DEFAULT mapping rules applied to the extracted identity

When both are unset, behavior is byte-for-byte identical to today, so the
change is fully backward compatible. This unblocks SPIFFE/SPIRE and
enterprise-PKI deployments whose identity lives in a SAN or a non-CN DN
field (and whose certs often have an empty CN that fails auth today).

PIP PR: https://github.com/apache/pulsar/pull/26021
DISCUSS thread:
https://lists.apache.org/thread/18clc2l50nrkoyhgo0pddw80y9zyd7sp

Thanks!
Pavel Zeger

Reply via email to