[ANSIENG-3807] | Rbac over mTLS #1804
Open
+2,070
−72
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* [ANSIENG-4229] | adding new user facing variables for rbac over mtls * [try-mtls] | modified default listener and get auth token * [ANSIENG-4229] | adding 2 small scenarios for testing * [try-mtls] | [ANSIENG-4229] | modifying the default values of ssl_client_authentication and ssl_mutual_auth * [try-mtls] | fixing issues in set principal for mtls and health checks * [try-mtls] | fixing mds client auth properties * [try-mtls] | adding ldap+mtls sceanrio * [try-mtls] | changing os to rhel9 and java to 17 for mtls tests * [try-mtls] | fix listener auth issue * [try-mtls] | fix health checks for broker * [try-mtls] | adding impersonation super users in bk customer properties * [try-mtls] | unmasking secrets for better logging * [try-mtls] | fix mds health check and config validations to include auth mode mtls * [try-mtls] | fix get authorization tokens * [try-mtls] | temporary removal of ssl endpoint identification * [try-mtls] | fix verify of new molecule scenarios for mtls * [try-mtls] | chaning erp listener to oauthbearer listener for impersonation token * [try-mtls] | fixing qoutes in erp listener name * [try-mtls] | removing ssl client auth verification from controller as it is only mds server property * [try-mtls] | adding impersonation super and protected users in mds properties * [try-mtls] | modify ssl client authentication for listeners based on inventory file * [try-mtls] | principal mapping rules on listeners * [try-mtls] | overriding principal mapping rules in molecule * [try-mtls] | fix impersonation protected user and remove config override for impersonation super user * [try-mtls] | remove principal mapping rules * [try-mtls] | fixing qoutes around client auth mode in listeners * [try-mtls] | adding sr in mtls only setup * [try-mtls] | fixing sr mtls * [try-mtls] | fix ldap detection and add extra $ in molecule for escape reasons * Fix SR RBAC (#70) * [ANSIENG-4229] | adding new user facing variables for rbac over mtls * [try-mtls] | modified default listener and get auth token * [ANSIENG-4229] | adding 2 small scenarios for testing * [try-mtls] | [ANSIENG-4229] | modifying the default values of ssl_client_authentication and ssl_mutual_auth * [try-mtls] | fixing issues in set principal for mtls and health checks * [try-mtls] | fixing mds client auth properties * [try-mtls] | adding ldap+mtls sceanrio * [try-mtls] | changing os to rhel9 and java to 17 for mtls tests * [try-mtls] | fix listener auth issue * [try-mtls] | fix health checks for broker * [try-mtls] | adding impersonation super users in bk customer properties * [try-mtls] | unmasking secrets for better logging * [try-mtls] | fix mds health check and config validations to include auth mode mtls * [try-mtls] | fix get authorization tokens * [try-mtls] | temporary removal of ssl endpoint identification * [try-mtls] | fix verify of new molecule scenarios for mtls * [try-mtls] | chaning erp listener to oauthbearer listener for impersonation token * [try-mtls] | fixing qoutes in erp listener name * [try-mtls] | removing ssl client auth verification from controller as it is only mds server property * [try-mtls] | adding impersonation super and protected users in mds properties * [try-mtls] | modify ssl client authentication for listeners based on inventory file * [try-mtls] | principal mapping rules on listeners * [try-mtls] | overriding principal mapping rules in molecule * [try-mtls] | fix impersonation protected user and remove config override for impersonation super user * [try-mtls] | remove principal mapping rules * [try-mtls] | fixing qoutes around client auth mode in listeners * [try-mtls] | adding sr in mtls only setup * [try-mtls] | fixing sr mtls * [try-mtls] | fix ldap detection and add extra $ in molecule for escape reasons --------- Co-authored-by: Mansi Jain <[email protected]> * [ANSIENG-4233] | added mtls configs for connect * [ANSIENG-4233] | comment fix * [try-mtls] | fix sr changes * [ANSIENG-4233] | config fix for listener authentication * [ANSIENG-4233] | add config for connectors * [ANSIENG-4233] | code fix * [ANSIENG-4233] | code revert * [try-mtls] | modify molecule scenario to add super user and principal mapping rules * [ANSIENG-4233] | add connector mtls config * [ANSIENG-4236] | add connect replicator mtls config * [ANSIENG-4233] | delegate token fetch to broker for connector * [ANSIENG-4236] | property fix * [ANSIENG-4235] | mtls configs * [ANSIENG-4235] | mtls configs * [ANSIENG-4236] | mtls configs * [ANSIENG-4236] | mtls configs * [ANSIENG-4235] | mtls configs * [ANSIENG-4235] | property fix * [ANSIENG-4236] | add test for replicator * [pm-rules] | handle default principal mapping rules * [pm-rules] | principal mapping rules in mds, erp, listeners, sr * [pm-rules] | removing config overrides from mtls onnly scenario as principal mapping rules are added by variables * [pm-rules] | principal mapping rules fix to get proper super user * [pm-rules] | adding listener level control over principal mapping rules * [pm-rules] | fix principal mapping rules in listeners * [mtls-rp] | add mtls support in erp,rp * [mtls-rp] | fix kafka rest license issue * [ANSIENG-4235] | add eol * Connect mtls ansieng 4233 (#72) * [ANSIENG-4233] | added mtls configs for connect * [ANSIENG-4233] | comment fix * [ANSIENG-4233] | config fix for listener authentication * [ANSIENG-4233] | add config for connectors * [ANSIENG-4233] | code fix * [ANSIENG-4233] | code revert * [ANSIENG-4233] | add connector mtls config * [ANSIENG-4233] | delegate token fetch to broker for connector * Revert "Connect mtls ansieng 4233 (#72)" (#76) This reverts commit 57cc5e6. * [try-mtls] | c3 mtls support * [try-mtls] | adding c3 in mtls scenario * [try-mtls] | fix c3 bugs * [try-mtls] | adding impersonation users to molecule scenarios * [try-mtls] | fix kafka rest listener and conlfuent.license config * [try-mtls] | file based login in mtls only scenario added * [try-mtls] | fix oauth and ldap scenarios and confluent.license * [try-mtls] | send certs in kafka broker tasks for register cluster * [try-mtls] | fixing register cluster to run on internal token listener so it has sasl_ssl protocol instead of ssl for rbac over mtls * [mtls-connect] | making retries in get auth token configurable and increasing the default wait time as mds takes more time in upgrades * [mtls-connect] | adding ksql connect in molecule scenarios * [mtls-connect] | fix erp pm rules * [mtls-connect] | remove cyclic dependency in ssl_client_authentication and ssl_mutual_auth_enabled * [mtls-connect] | remove set fact for mtls old var * [mtls-connect] | add when conditions for extract principal --------- Co-authored-by: Mansi Jain <[email protected]>
|
|
|
🎉 All Contributor License Agreements have been signed. Ready to merge. |
…abled and ssl_client_authentication and askign for user confirmation for setting requested
…instead of oauth_enabled and ldap_with_oauth_enabled varaibles
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
This Pr aims to add support for RBAC over mTLS.
The includes changes for
Replicator changes will be raised in seperate PR
Fixes # (issue)
Type of change
How Has This Been Tested?
zookeeper
kraft
Checklist: