Skip to content

011 - user namespace filter #80

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

011 - user namespace filter #80

wants to merge 1 commit into from

Conversation

k-wall
Copy link
Member

@k-wall k-wall commented Sep 19, 2025
edited
Loading

Proposes the introduction of a "User Namespace Filter" to Kroxylicious's core filters.

The role of the User Namespace Filter is to give the client a private space within the kafka cluster space that is isolated from other users sharing the cluster. Namespacing can be applied selectively to different resource types. This allows the possibility for some resource types (probably topics) to be shared between users while others (consumer group names and transactional ids) are private.

@k-wall k-wall requested a review from a team as a code owner September 19, 2025 13:20
robobario
robobario reviewed Sep 23, 2025
View reviewed changes
proposals/011-user-namespace.md

For the initial release, the filter will need to support only namespacing for consumer group names and transactional ids. There will be scope for the filter to support prefixing of topic resources, but this won’t be supported in the initial release.

This proposal will deliver a simple implementation of the API that simply uses the principal as the prefix.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Which Principal? Does it support SASL and TLS? authorizationId implies it's SASL oriented, I think the proposal should talk about this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Given #79 (comment), I think the mapper will accept the Subject and they'll be configuration saying what Principal type should be accessed from the Subject. If the Principal isn't present, it'll fail.

proposals/011-user-namespace.md
```java
interface ResourceNameMapper {
/** Return a mapping of downstream names to upstream names. */
CompletionStage<Map<String, String>> mapDownstreamResourceNames(String authorizationId, ResourceType resourceType, List<String> downstreamResourceNames);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

what would happen if there is no SASL transaction for a connection? Is authorizationId nullable? Or does the Filter not do any resource mapping if there is no authorizationId?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it only makes sense to use this filter when a filter has been established on the channel.

@k-wall k-wall mentioned this pull request Sep 24, 2025
Open
@k-wall k-wall added this to 2025_Q3 Sep 25, 2025
@k-wall
Copy link
Member Author

k-wall commented Sep 25, 2025

I said on the sync call, I'll iterate on the APIs in a PR then update the proposal.

@robobario robobario mentioned this pull request Oct 3, 2025
Closed
@tombentley tombentley moved this to In Progress in 2025_Q3 Oct 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@robobario robobario robobario left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@k-wall k-wall

Labels
None yet
Projects
2025_Q3
Status: In Progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@k-wall @robobario