KIP-1188 — New ConnectorClientConfigOverridePolicy with allowlist of configurations
Accepted Kafka 4.2 Connect
Introduces a new built-in ConnectorClientConfigOverridePolicy named AllowlistConnectorClientConfigOverridePolicy with a configurable connector.client.config.override.policy.allowlist that restricts connector config overrides to an explicit set. Multiple CVEs (including RCE via SASL JAAS JndiLoginModule) exploited the default All policy; the None policy is too restrictive while the Principal policy proved unsafe.
Details
| Author | Mickael Maison |
| Status | Accepted |
| Kafka Version | 4.2 |
| JIRA | KAFKA-19824 |
| Wiki | View on Apache Wiki |
| Created | 2025-06-20 |
| Last Modified | 2025-10-24 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.