-
Notifications
You must be signed in to change notification settings - Fork 407
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[ANSIENG-3807] | Rbac over mTLS #1804
base: 7.8.x
Are you sure you want to change the base?
Conversation
* [ANSIENG-4229] | adding new user facing variables for rbac over mtls * [try-mtls] | modified default listener and get auth token * [ANSIENG-4229] | adding 2 small scenarios for testing * [try-mtls] | [ANSIENG-4229] | modifying the default values of ssl_client_authentication and ssl_mutual_auth * [try-mtls] | fixing issues in set principal for mtls and health checks * [try-mtls] | fixing mds client auth properties * [try-mtls] | adding ldap+mtls sceanrio * [try-mtls] | changing os to rhel9 and java to 17 for mtls tests * [try-mtls] | fix listener auth issue * [try-mtls] | fix health checks for broker * [try-mtls] | adding impersonation super users in bk customer properties * [try-mtls] | unmasking secrets for better logging * [try-mtls] | fix mds health check and config validations to include auth mode mtls * [try-mtls] | fix get authorization tokens * [try-mtls] | temporary removal of ssl endpoint identification * [try-mtls] | fix verify of new molecule scenarios for mtls * [try-mtls] | chaning erp listener to oauthbearer listener for impersonation token * [try-mtls] | fixing qoutes in erp listener name * [try-mtls] | removing ssl client auth verification from controller as it is only mds server property * [try-mtls] | adding impersonation super and protected users in mds properties * [try-mtls] | modify ssl client authentication for listeners based on inventory file * [try-mtls] | principal mapping rules on listeners * [try-mtls] | overriding principal mapping rules in molecule * [try-mtls] | fix impersonation protected user and remove config override for impersonation super user * [try-mtls] | remove principal mapping rules * [try-mtls] | fixing qoutes around client auth mode in listeners * [try-mtls] | adding sr in mtls only setup * [try-mtls] | fixing sr mtls * [try-mtls] | fix ldap detection and add extra $ in molecule for escape reasons * Fix SR RBAC (#70) * [ANSIENG-4229] | adding new user facing variables for rbac over mtls * [try-mtls] | modified default listener and get auth token * [ANSIENG-4229] | adding 2 small scenarios for testing * [try-mtls] | [ANSIENG-4229] | modifying the default values of ssl_client_authentication and ssl_mutual_auth * [try-mtls] | fixing issues in set principal for mtls and health checks * [try-mtls] | fixing mds client auth properties * [try-mtls] | adding ldap+mtls sceanrio * [try-mtls] | changing os to rhel9 and java to 17 for mtls tests * [try-mtls] | fix listener auth issue * [try-mtls] | fix health checks for broker * [try-mtls] | adding impersonation super users in bk customer properties * [try-mtls] | unmasking secrets for better logging * [try-mtls] | fix mds health check and config validations to include auth mode mtls * [try-mtls] | fix get authorization tokens * [try-mtls] | temporary removal of ssl endpoint identification * [try-mtls] | fix verify of new molecule scenarios for mtls * [try-mtls] | chaning erp listener to oauthbearer listener for impersonation token * [try-mtls] | fixing qoutes in erp listener name * [try-mtls] | removing ssl client auth verification from controller as it is only mds server property * [try-mtls] | adding impersonation super and protected users in mds properties * [try-mtls] | modify ssl client authentication for listeners based on inventory file * [try-mtls] | principal mapping rules on listeners * [try-mtls] | overriding principal mapping rules in molecule * [try-mtls] | fix impersonation protected user and remove config override for impersonation super user * [try-mtls] | remove principal mapping rules * [try-mtls] | fixing qoutes around client auth mode in listeners * [try-mtls] | adding sr in mtls only setup * [try-mtls] | fixing sr mtls * [try-mtls] | fix ldap detection and add extra $ in molecule for escape reasons --------- Co-authored-by: Mansi Jain <[email protected]> * [ANSIENG-4233] | added mtls configs for connect * [ANSIENG-4233] | comment fix * [try-mtls] | fix sr changes * [ANSIENG-4233] | config fix for listener authentication * [ANSIENG-4233] | add config for connectors * [ANSIENG-4233] | code fix * [ANSIENG-4233] | code revert * [try-mtls] | modify molecule scenario to add super user and principal mapping rules * [ANSIENG-4233] | add connector mtls config * [ANSIENG-4236] | add connect replicator mtls config * [ANSIENG-4233] | delegate token fetch to broker for connector * [ANSIENG-4236] | property fix * [ANSIENG-4235] | mtls configs * [ANSIENG-4235] | mtls configs * [ANSIENG-4236] | mtls configs * [ANSIENG-4236] | mtls configs * [ANSIENG-4235] | mtls configs * [ANSIENG-4235] | property fix * [ANSIENG-4236] | add test for replicator * [pm-rules] | handle default principal mapping rules * [pm-rules] | principal mapping rules in mds, erp, listeners, sr * [pm-rules] | removing config overrides from mtls onnly scenario as principal mapping rules are added by variables * [pm-rules] | principal mapping rules fix to get proper super user * [pm-rules] | adding listener level control over principal mapping rules * [pm-rules] | fix principal mapping rules in listeners * [mtls-rp] | add mtls support in erp,rp * [mtls-rp] | fix kafka rest license issue * [ANSIENG-4235] | add eol * Connect mtls ansieng 4233 (#72) * [ANSIENG-4233] | added mtls configs for connect * [ANSIENG-4233] | comment fix * [ANSIENG-4233] | config fix for listener authentication * [ANSIENG-4233] | add config for connectors * [ANSIENG-4233] | code fix * [ANSIENG-4233] | code revert * [ANSIENG-4233] | add connector mtls config * [ANSIENG-4233] | delegate token fetch to broker for connector * Revert "Connect mtls ansieng 4233 (#72)" (#76) This reverts commit 57cc5e6. * [try-mtls] | c3 mtls support * [try-mtls] | adding c3 in mtls scenario * [try-mtls] | fix c3 bugs * [try-mtls] | adding impersonation users to molecule scenarios * [try-mtls] | fix kafka rest listener and conlfuent.license config * [try-mtls] | file based login in mtls only scenario added * [try-mtls] | fix oauth and ldap scenarios and confluent.license * [try-mtls] | send certs in kafka broker tasks for register cluster * [try-mtls] | fixing register cluster to run on internal token listener so it has sasl_ssl protocol instead of ssl for rbac over mtls * [mtls-connect] | making retries in get auth token configurable and increasing the default wait time as mds takes more time in upgrades * [mtls-connect] | adding ksql connect in molecule scenarios * [mtls-connect] | fix erp pm rules * [mtls-connect] | remove cyclic dependency in ssl_client_authentication and ssl_mutual_auth_enabled * [mtls-connect] | remove set fact for mtls old var * [mtls-connect] | add when conditions for extract principal --------- Co-authored-by: Mansi Jain <[email protected]>
|
🎉 All Contributor License Agreements have been signed. Ready to merge. |
…abled and ssl_client_authentication and askign for user confirmation for setting requested
…instead of oauth_enabled and ldap_with_oauth_enabled varaibles
Description
This Pr aims to add support for RBAC over mTLS.
The includes changes for
Replicator changes will be raised in seperate PR
Fixes # (issue)
Type of change
How Has This Been Tested?
zookeeper
kraft
Checklist: