kafka-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From gwens...@apache.org
Subject kafka git commit: KAFKA-3095: Add documentation on format of sasl.kerberos.principal.to.local.rules
Date Mon, 18 Jan 2016 18:03:52 GMT
Repository: kafka
Updated Branches:
  refs/heads/trunk 5979480c3 -> 401ae7707

KAFKA-3095: Add documentation on format of sasl.kerberos.principal.to.local.rules

Add some basic documentation about the format, a link to get more detailed information and
an example usage.  I didn't want to make a huge section on the format since it documented
elsewhere but I can expand is folks want.


Author: Tom Graves <tgraves@yahoo-inc.com>

Reviewers: Gwen Shapira

Closes #776 from tgravescs/KAFKA-3095

Project: http://git-wip-us.apache.org/repos/asf/kafka/repo
Commit: http://git-wip-us.apache.org/repos/asf/kafka/commit/401ae770
Tree: http://git-wip-us.apache.org/repos/asf/kafka/tree/401ae770
Diff: http://git-wip-us.apache.org/repos/asf/kafka/diff/401ae770

Branch: refs/heads/trunk
Commit: 401ae7707cf3990240544eb4575acc46a9c85017
Parents: 5979480
Author: Tom Graves <tgraves@yahoo-inc.com>
Authored: Mon Jan 18 10:03:47 2016 -0800
Committer: Gwen Shapira <cshapi@gmail.com>
Committed: Mon Jan 18 10:03:47 2016 -0800

 .../src/main/java/org/apache/kafka/common/config/SaslConfigs.java | 3 ++-
 docs/security.html                                                | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java b/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java
index ef29743..d61838f 100644
--- a/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java
+++ b/clients/src/main/java/org/apache/kafka/common/config/SaslConfigs.java
@@ -45,7 +45,8 @@ public class SaslConfigs {
     public static final String SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES = "sasl.kerberos.principal.to.local.rules";
     public static final String SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_DOC = "A list of rules
for mapping from principal names to short names (typically operating system usernames). "
             "The rules are evaluated in order and the first rule that matches a principal
name is used to map it to a short name. Any later rules in the list are ignored. " +
-            "By default, principal names of the form {username}/{hostname}@{REALM} are mapped
to {username}.";
+            "By default, principal names of the form {username}/{hostname}@{REALM} are mapped
to {username}. " +
+            "For more details on the format please see <a href=\"#security_authz\">
security authorization and acls</a>.";
     public static final List<String> DEFAULT_SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES
= Collections.singletonList("DEFAULT");
     public static void addClientSaslSupport(ConfigDef config) {

diff --git a/docs/security.html b/docs/security.html
index 3acbbac..90a8e18 100644
--- a/docs/security.html
+++ b/docs/security.html
@@ -283,6 +283,9 @@ One can also add super users in broker.properties like the following (note
 By default, the SSL user name will be of the form "CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown".
One can change that by setting a customized PrincipalBuilder in broker.properties like the
 By default, the SASL user name will be the primary part of the Kerberos principal. One can
change that by setting <code>sasl.kerberos.principal.to.local.rules</code> to
a customized rule in broker.properties.
+The format of <code>sasl.kerberos.principal.to.local.rules</code> is a list where
each rule works in the same way as the auth_to_local in <a href="http://web.mit.edu/Kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html">Kerberos
configuration file (krb5.conf)</a>. Each rules starts with RULE: and contains an expression
in the format [n:string](regexp)s/pattern/replacement/g. See the kerberos documentation for
more details. An example of adding a rule to properly translate user@MYDOMAIN.COM to user
while also keeping the default rule in place is:
 <h4><a id="security_authz_cli" href="#security_authz_cli">Command Line Interface</a></h4>
 Kafka Authorization management CLI can be found under bin directory with all the other CLIs.
The CLI script is called <b>kafka-acls.sh</b>. Following lists all the options
that the script supports:

View raw message