Deployment patterns for mTLS authentication with RBAC authorization in Confluent Platform¶
When you use mutual TLS (mTLS) authentication with role-based access control (RBAC) in your Confluent Platform deployments, the following patterns are available. These patterns differ based on whether mTLS authentication also uses token-based authentication and the type of credentials that the client provides.
Depending on how mTLS with RBAC is deployed, the authentication behavior at the server and the type of credentials provided by the client differs. If you include token-based authentication, RBAC authorization uses different principal extraction methods.
The following table summarizes the supported deployment patterns, the authentication behavior, and the principal extraction methods.
| Deployment pattern | Authentication behavior | Principal extraction |
|---|---|---|
| mTLS authentication | Authentication requires the client to pass a certificate. If a client fails to pass a certificate, client authentication fails. | Principal extraction from the certificate. |
| mTLS authentication with optional token authentication | Authentication options include:
The client must pass a valid certificate, but can optionally pass a token too. If both credentials are passed, both must be valid if the server is configured for both certificate and token. |
Principal extraction is first attempted from a token. If a token is not passed, then the certificate is used. If a client passes both credentials, the principal from the token is used. |
Principal extraction example¶
The following example demonstrates how principals are extracted based on the
credentials provided. In this example, the certificate subject name is
CN=alice, and the token subject is bob. The following example shows a
request that includes both a certificate and a token.
# Example request with both certificate and token
curl \
--cacert ca-cert.pem \
--cert client-cert.pem \
--key client-key.pem \
--pass <CLIENT_KEY_PASSWORD> \
-H "Authorization: Bearer <jwt>" \
-H "accept: application/json" \
-X GET "https://<CONFLUENT_HOST>:<PORT>/resource"
Certificate SN (Subject Name):
CN = alice, OU = TEST, O = CONFLUENT, L = PaloAlto, ST = Ca, C = US
Decoded token from API request:
{
"sub": "bob",
"name": "Bob The Builder",
"iat": 1516239022
}
Principal extraction behavior¶
When you use mTLS authentication with RBAC authorization, the principal is extracted based on the type of credentials that the client provides.
- If only a certificate is provided:
- Uses the certificate CN. For example,
User:alicefromCN=alice. - If a token is provided (with or without a certificate):
- Uses the token subject. For example,
User:bobfrom token’ssubclaim. - If neither a certificate nor a token is provided: - Authentication fails.