Strimzi Operator

About the Strimzi Operator

Strimzi is an open source Kubernetes operator that deploys and monitors a Kafka cluster (Zookeeper and Broker). On this page we discuss Strimzi commands which are used often in Kafka administration.

Please also refer to the Strimzi Documentation for some advanced information on administering a Kafka cluster with Strimzi.

Principal Chain Builder

In case you want to enable principal chain based ACL authentication, you need to provide the custom principal builder class.

kafka:
  fullName: "kafka-local"
  kafka:
    config:
      default.replication.factor: 1
      min.insync.replicas: 1
      principal.builder.class: io.axual.security.auth.SslPrincipalBuilder

In order for the above to work, you will need to provide a broker image that contains that class as part of the class path. The default strimzi base images do not support this feature out of the box.

Why should I enable principal chain based ACL authentication?

Kafka’s PrincipalBuilder uses the Distinguished Name (DN) of a certificate to identify a principal. In case you are installing Axual in a multi-tenant environment, you may have different CAs for different tenants. These different CAs can issue a certificate with the same DN: this implies that the DN does not uniquely identify a principal. This can result in a principal accessing resources of a tenant it should not be authorized to access.

By using the principal chain to identify the principal instead of the DN, you can safely use certificates to identify a principal across different tenants on the same Kafka cluster.

So, for example, with the Kafka PrincipalBuilder we could have the following principal:

CN=app,O=Axual,C=NL

Using the principal chain mechanism, instead, the principal would be:

[0] CN=RootCA, [1] CN=Intermediate1, [2] CN=AppCert,O=MyOrg,C=NL

which uniquely identifies the principal.