Skip to content

v0.18.0

Choose a tag to compare

View all tags
@kroxylicious-robot kroxylicious-robot released this 28 Nov 12:54
· 829 commits to main since this release
Immutable release. Only release title and notes can be modified.
v0.18.0
a321eae

0.18.0

  • #2922: build(deps): bump kafka.version from 4.1.0 to 4.1.1
  • #1318: Add FilterContext#topicNames to enable filters to retrieve names for topic ids
  • #2821: Fix OauthBearerValidationFilter unnecessarily copying the authentication bytes from an incoming request to a failed response
  • #2893: Add Subject, replace FilterContext#clientSaslAuthenticationSuccess
  • #2899: Add SaslSubjectBuilder API
  • #2913: Add TransportSubjectBuilder API, enable user to configure one per virtual cluster
  • #2899: Add the Authorizer API
  • #2903: Add an ACL Authorizer implementation
  • #2909: Add an Authorizer Filter that can authorize Topic operations
  • #2904: SaslInspection Filter publishes Subject using pluggable SaslSubjectBuilder
  • #2951: Allow SaslInspection to function as a barrier

Changes, deprecations and removals

  • Subject, Principal and User principal added to io.kroxylicious.proxy.authentication package.
  • Subject authenticatedSubject(); added to FilterContext, enabling Filters to access the current authenticated Subject.
  • io.kroxylicious.proxy.authentication.SaslSubjectBuilder has been added to kroxylicious-api. This is an optional
    Service interface that SASL-oriented Filters can choose to load.
  • FilterContext#clientSaslAuthenticationSuccess(String mechanism, String authorizedId) is deprecated. Use
    FilterContext#clientSaslAuthenticationSuccess(String mechanism, Subject subject) instead. Initially the framework
    expects the Subject to contain a single io.kroxylicious.proxy.authentication.User principal which contains the
    authorizedId, though this may change in the future.
  • A Virtual Cluster now has a pluggable io.kroxylicious.proxy.authentication.TransportSubjectBuilder associated with it.
    This new Service is responsible for building a Subject from mTLS certificates presented by the client to the proxy.
    This is configurable on the virtual cluster using the subjectBuilder: 
    virtualClusters:
  - name: demo
    subjectBuilder:
      type: YourSubjectBuilderType
      config:
        your: "configObject"
  • A new module kroxylicious-authorizer-api has been added. This contains io.kroxylicious.authorizer.service.Authorizer,
    an interface which abstracts making an allow/deny decision about some Subject performing some Action on a resource.
  • The SaslInspection filter can be configured with a pluggable SaslSubjectBuilder using configuration like: 
    type: SaslInspection
config:
  subjectBuilder: YourSubjectBuilder
  subjectBuilderConfig:
    your: "config"
  enabledMechanisms:
    - SCRAM-SHA-512
  • AuthorizationFilter is added to the binary distribution and image. Note this is a new experimental Filter, not yet
    ready for production environments.
  • FilterContext now offers a topicNames method to map from topic ids to topic names. Caching the result is initially
    a Filter responsibility.
Assets 12
Loading