Enum Class SniValidationMode

java.lang.Object
java.lang.Enum<SniValidationMode>
io.confluent.kafka.server.plugins.auth.SniValidationMode
All Implemented Interfaces:
Serializable, Comparable<SniValidationMode>, Constable
public enum SniValidationMode extends Enum<SniValidationMode>
Enum class that represents different mode of SNI host name validation in the authenticator.

optional_validation: v3 network architecture clusters: - If a clusterId-prefixed SNI is supplied, we do validation - Otherwise, no validation of the SNI host name is done

allow_legacy_bootstrap: v4 network architecture with legacy bootstrap (before all customers have changed bootstrap configs): - require SNI for broker path - allow bootstrap hostname start with `pkc` and validate the ones that start with `lkc`

strict: v4 network architecture new clusters: - require SNI always for both bootstrap and broker path

This mode can be configured through the jaas config for #OAuthBearerValidatorCallbackHandler and #FileBasedPlainSaslAuthenticator

  • Enum Constant Details

  • Field Details

  • Method Details

    • values

      public static SniValidationMode[] values()
      Returns an array containing the constants of this enum class, in the order they are declared.
      Returns:
      an array containing the constants of this enum class, in the order they are declared

    • valueOf

      public static SniValidationMode valueOf(String name)
      Returns the enum constant of this class with the specified name. The string must match exactly an identifier used to declare an enum constant in this class. (Extraneous whitespace characters are not permitted.)
      Parameters:
      name - the name of the enum constant to be returned.
      Returns:
      the enum constant with the specified name
      Throws:
      IllegalArgumentException - if this enum class has no constant with the specified name
      NullPointerException - if the argument is null

    • fromString

      public static SniValidationMode fromString(String text)

    • getText

      public String getText()

    • sniHostNameMatches

      public abstract boolean sniHostNameMatches(String expectedLogicalClusterId, Optional<String> suppliedClusterId, Optional<org.apache.kafka.common.security.authenticator.PathAwareSniHostName> sniHostName)
      Validate if the supplied cluster Id matches with the ground truth. Note that we add the `suppliedClusterId` argument because we decided to parse the clusterId from SNIHostName in the caller so that we can log the clusterId in our audit log. And we could have parse it inside this validation method and remove this argument.
      Parameters:
      expectedLogicalClusterId - The expected cluster Id, i.e. ground truth.
      suppliedClusterId - The supplied cluster Id as parsed from SNI host name, so it will always start with `lkc-`.
      sniHostName - The SNI host name supplied by the clients.
      Returns:
      true if the logical clusters match, false otherwise