Enable ANONYMOUS with mTLS

[plakat]

Hi!
We're currently testing a Strimzi-based setup that replicates our Ansible-based (i.e. custom) Kafka installation. After integrating our own CA for client certificates (which was much harder than I expected) and enabling authorization, the setup works when a client presents a client certificate that corresponds to an ACL. We set up a listener on port 9094 like this:

- name: external
  port: 9094
  type: route
  tls: true
  authentication:
    tls

We now wanted to also enable ANONYMOUS connections via TLS (i.e. where the client validates the broker certificate but does not send a client certificate). This results in the SslAuthenticationException "SSL handshake failed" -- as should be expected with the ssl.client.auth=required setting that is put into the broker config for this listener by the operator.

Our current setup uses ssl.client.auth=requested, which is what we want to replicate with our Strimzi-based setup.

Since we're tunneling through an Openshift Route I think I can't expose an additional port that has authentication.tls=false, and I can't see a way to override ssl.client.auth to "requested", neither globally nor for one listener specifically. Checking the operator source code, this option is always set to "required" when authentication.tls=true.

Is there an existing way to enable both client certificates and ANONYMOUS aside from creating a custom image with the operator patched? We offer connections without client certificate due to simpler setup, especially in DEV environments, and many of our client projects take advantage of this currently. Client certificates is an uphill battle with developers anyway, so we'd prefer to keep that to cases where its strictly required by our Security department.

Any pointers appreciated.

BR,
Wolfram.

[scholzj]

Strimzi currently does not support this setup. And TBH, it makes little sense to me. If you want to allow ANONYMOUS connections, you can just disable the authentication in the first place because the optional authentication does not give you anything useful. However, you should be able to have to type: route listeners with different authentication settings if you want to (one with mTLS enabled and one without mTLS). They will simply have different bootstrap addresses, so you would need to make an intentional decision what kind of security you want to use.

[plakat]

Intended effect is that clients can authenticate with a certificate, but are not required to do so (remaining ANONYMOUS). ACLs are set up appropriately for different topics, specifically allowing access for ANONYMOUS when required. So yes, the setup does have some use, sparing projects from using client projects esp. in DEV.

Having ANONYMOUS as an option might not make that much sense from a security perspective, and after an internal discussion we'll go with that new requirement for the new clusters based upon Strimzi: those being based at GCP makes more stringent security requirements a good idea anyway.

So I gather having different listeners would work -- I'll try that out anyway. Thank you for your really fast response.