Strimzi Kafka is not able to authorize a client having certificates with subject containing additional information like organizational unit (ou), organization (o), country (c), state (st), and email address, along with the common name (cn)

[HundalTaran]

1. Kafkauser.yaml

apiVersion: kafka.strimzi.io/v1beta2
kind: KafkaUser
metadata:
  labels:
    strimzi.io/cluster: my-cluster
  name: user1
  namespace: jive
spec:
  authentication:
    type: tls-external
  authorization:
    acls:
    - operation: Read
      resource:
        name: Kafka_Collector
        type: group
    - operation: All
      resource:
        name: '*'
        patternType: literal
        type: topic
    type: simple
  userName: user1

2. Subject of my CA cert for kafka client:
   subject=emailAddress=[email protected],CN=user1,OU=PGD,O=def,L=Gurgaon,ST=HR,C=IN

I am facing error on kafkaclient:
Caused by: java.util.concurrent.ExecutionException: org.apache.kafka.common.errors.TopicAuthorizationException: Topic authorization failed.

On checking Strimzi kafka logs, following could be observed:

{
  "version": "1.2.0",
  "timestamp": "2024-07-11T05:19:35.733+00:00",
  "severity": "info",
  "service_id": "eric-data-messagebus-kf",
  **"message": "Principal = User:1.2.840.113549.1.9.1=#161c746172616e70726565742e6b617572406572696373736f6e2e636f6d,CN=user1,OU=PGD,O=def,L=Gurgaon,ST=HR,C=IN is Denied Operation = Describe from host = 10.2.49.139 on resource = Topic:LITERAL:topic1 for request = Metadata with. resourceRefCount = 1",**
  "metadata": {
    "container_name": "kafka",
    "pod_name": "my-cluster-kafka-0"
  },
  "extra_data": {
    "file": "AclAuthorizer.scala",
    "line": "628",
    "mbkf_cluster_name": "my-cluster"
  }
}
{
  "version": "1.2.0",
  "timestamp": "2024-07-11T05:19:35.733+00:00",
  "severity": "debug",
  "service_id": "eric-data-messagebus-kf",
  "message": "Completed request:{\"isForwarded\":false,\"requestHeader\":{\"requestApiKey\":3,\"requestApiVersion\":12,\"correlationId\":3,\"clientId\":\"Kafka_Collector-enumerator-admin-client\",\"requestApiKeyName\":\"METADATA\"},\"request\":{\"topics\":[{\"topicId\":\"AAAAAAAAAAAAAAAAAAAAAA\",\"name\":\"topic1\"}],\"allowAutoTopicCreation\":false,\"includeTopicAuthorizedOperations\":false},\"response\":{\"throttleTimeMs\":0,\"brokers\":[{\"nodeId\":0,\"host\":\"my-cluster-kafka-0.sample-ext.rnd.gic.se\",\"port\":32193,\"rack\":null}],\"clusterId\":\"1xUhk_M6QDynCEu2shjq6A\",\"controllerId\":0,\"topics\":[{\"errorCode\":29,\"name\":\"topic1\",\"topicId\":\"AAAAAAAAAAAAAAAAAAAAAA\",\"isInternal\":false,\"partitions\":[],\"topicAuthorizedOperations\":-2147483648}]},\"connection\":\"10.2.49.159:9094-10.2.49.139:53538-17\",\"totalTimeMs\":0.712,\"requestQueueTimeMs\":0.054,\"localTimeMs\":0.591,\"remoteTimeMs\":0.0,\"throttleTimeMs\":0,\"responseQueueTimeMs\":0.016,\"sendTimeMs\":0.049,\"securityProtocol\":\"SSL\",\"**principal\":\"User:1.2.840.113549.1.9.1=#161c746172616e70726565742e6b617572406572696373736f6e2e636f6d,CN=user1,OU=PGD,O=def,L=Gurgaon,ST=HR,C=IN\**",\"listener\":\"EXTERNALTLS-9094\",\"clientInformation\":{\"softwareName\":\"apache-kafka-java\",\"softwareVersion\":\"3.6.1\"}}",
  "metadata": {
    "container_name": "kafka",
    "pod_name": "my-cluster-kafka-0"
  },
  "extra_data": {
    "file": "RequestChannel.scala",
    "line": "276",
    "mbkf_cluster_name": "my-cluster"
  }
}

So, I tried to set property ssl.principal.mapping.rules: RULE:^CN=(.*?)(,|$) $1 but this property is forbidden by strimzi kafka.

What could be done in this case scenario?

[scholzj]

Please format your question to make it readable.

[HundalTaran]

Thanks for the reply.
I have formatted the logs and yaml in the question.

[scholzj]

Right, that is expected. When you use type: tls-external, you have to make sure that the subject of the xertificate is CN=<NameOfTheKafkaUserResource>. If you want to use certificates with different subjects, you can disable the User Operator and manage the users your self using the Kafka Admin API.