-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Principal data serialization #53
Comments
Hi Thor! Yeah, that seems like a valid request. I wonder what the best approach would be for achieving that 🤔 I guess we could defer to a different serializer based on the principal type. Did I understand correctly that yours was a custom one? Or is there one for OAuth included in Kafka? I couldn't find one from a cursory search. |
Well, there is some default support for OAuth in Kafka, however I do not think that default implementation actually comes with an OAuth principal by default. We are using an authentication plugin that comes with the Strimzi operator so the concrete principal is this: https://github.com/strimzi/strimzi-kafka-oauth/blob/main/oauth-server/src/main/java/io/strimzi/kafka/oauth/server/OAuthKafkaPrincipal.java But yes, I also wonderful what approach would make the most sense. Could both be a standard serializer picking up the standard Java properties. Basically we would love to have access to the raw jwt since the jwt functions in OPA is pretty good. I have just forked the OPA authorizer so I was experimenting with some serizlization. |
Yeah, doing JWT validation in OPA, and policy decisions based on claims makes perfect sense. @scholzj any idea about how to best go on about allowing this? |
Yeah, it sounds like a good idea. But TBH, I have no idea what is the best way to implement it as a generic functionality which would work for any kind of principal implementation as they can be more different principal implementations than just the one from Strimzi OAuth. |
Yeah. I agree. I am not even sure what it will look like if Jackson is just
serializing out the Strimzi principal. But for sure there could be other
principal implementations.
I does seem, however, that Kafka comes with a base class for OAuth that
defines a method for getting the token in its base64 encoded form. I am
experimenting a bit with trying to rely on that instead of the specific
Strimzi implementation. I’ll let you know if I find a way that is only
relying on the Kafka standard classes.
|
We were looking at replacing some custom authorization policies with OPA policies. The authorizations that are being replaced are based on OAuth 2.0 based authentication and thus the principal is derived from
KafkaPrincipal
, i.e., a subclass. The OAuth principal carries information on the claims from the OAuth jwt which may be used for authorization in the rego policies.However, currently the authorizer explicitly converts the principal to a
KafkaPrincipal
before serializing to json sending the request OPA. This way we loose all extra information from the jwt.Would it be possible to change the principal serialization to support a more generic serialization supporting
KafkaPrincipal
subclasses?The text was updated successfully, but these errors were encountered: