KIP-1116 — Adding new Principal Types on Standard ACL side for filtering KafkaPrincipal
Discussion Security
KIP-1116 proposes adding new principal types beyond `User` to the standard ACL system so that ACL rules can match groups of `KafkaPrincipal` identities without losing the original client identity in logs. Current workarounds using principal mapping rules (to embed group membership in the principal name) discard the unique client identity, making audit log attribution impossible.
Details
| Author | Franck LEDAY |
| Status | Discussion |
| JIRA | KAFKA-16707 |
| Wiki | View on Apache Wiki |
| Created | 2024-11-24 |
| Last Modified | 2024-11-24 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.