KIP-880 — X509 SAN based SPIFFE URI ACL within mTLS Client Certificates
Discussion Security
KIP-880 proposes a `KafkaPrincipalBuilder` implementation that extracts SPIFFE URIs from the X.509 SAN (Subject Alternative Name) extension of mTLS client certificates and returns them as `KafkaPrincipal` objects for use in ACL rules. Istio-managed microservices in Kubernetes use SPIFFE-based SVID certificates for workload identity, but Kafka's existing mTLS principal extraction only reads the `CN` field, forcing operators to configure separate authentication mechanisms rather than reusing the Istio-provided identity.
Details
| Author | Bart Van Bos |
| Status | Discussion |
| JIRA | KAFKA-14340 |
| Wiki | View on Apache Wiki |
| Created | 2022-10-29 |
| Last Modified | 2022-10-29 |
Explore how this KIP affects the Kafka protocol in the Protocol Explorer, or see the full KIP database.