Hi all,
I'd like to start the vote on PIP-485: *Configurable mTLS principal mapping (SAN sources and DN mapping rules)*. The PIP makes identity extraction in the built-in TLS auth provider (AuthenticationProviderTls) configurable, instead of the current hardcoded "first CN wins" behavior. It adds two options: - tlsCertIdentitySource: CN (default), DN, or SAN:URI / SAN:DNS / SAN:EMAIL - tlsAuthPrincipalMappingRules: an ordered list of Kafka-style RULE:/DEFAULT mapping rules applied to the extracted identity When both are unset, behavior is byte-for-byte identical to today, so the change is fully backward compatible. This unblocks SPIFFE/SPIRE and enterprise-PKI deployments whose identity lives in a SAN or a non-CN DN field (and whose certs often have an empty CN that fails auth today). PIP PR: https://github.com/apache/pulsar/pull/26021 DISCUSS thread: https://lists.apache.org/thread/18clc2l50nrkoyhgo0pddw80y9zyd7sp Thanks! Pavel Zeger
