KAFKA-18919 Clarify that KafkaPrincipalBuilder classes must also implement KafkaPrincipalSerde (#19104)

In KRaft mode, custom KafkaPrincipalBuilder instances must implement KafkaPrincipalSerde. This PR updates all related documentation to highlight this requirement. Reviewers: Ken Huang <s7133700@gmail.com>, David Jacot <djacot@confluent.io>, TengYao Chi <kitingiao@gmail.com>, Chia-Ping Tsai <chia7712@gmail.com>
2025-03-05 22:25:09 +09:00 · 2025-03-05 22:25:09 +09:00 · 6ecf6817ad
parent 18eca0229d
commit 6ecf6817ad
3 changed files with 12 additions and 1 deletions
--- a/clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
+++ b/clients/src/main/java/org/apache/kafka/common/config/internals/BrokerSecurityConfigs.java
@ -79,7 +79,9 @@ public class BrokerSecurityConfigs {
            "name from the client certificate if one is provided; otherwise, if client authentication is not required, " +
            "the principal name will be ANONYMOUS. For SASL authentication, the principal will be derived using the " +
            "rules defined by <code>" + SASL_KERBEROS_PRINCIPAL_TO_LOCAL_RULES_CONFIG + "</code> if GSSAPI is in use, " +
-            "and the SASL authentication ID for other mechanisms. For PLAINTEXT, the principal will be ANONYMOUS.";
+            "and the SASL authentication ID for other mechanisms. For PLAINTEXT, the principal will be ANONYMOUS. " +
+            "Note that custom implementations of <code>KafkaPrincipalBuilder</code> is required to implement <code>KafkaPrincipalSerde</code> " +
+            "interface, otherwise brokers will not be able to forward requests to the controller.";

    public static final String SSL_CLIENT_AUTH_CONFIG = "ssl.client.auth";
    public static final String SSL_CLIENT_AUTH_DEFAULT = SslClientAuth.NONE.toString();
--- a/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipalBuilder.java
+++ b/clients/src/main/java/org/apache/kafka/common/security/auth/KafkaPrincipalBuilder.java
@ -23,6 +23,10 @@ package org.apache.kafka.common.security.auth;
 * Note that the {@link org.apache.kafka.common.Configurable} and {@link java.io.Closeable}
 * interfaces are respected if implemented. Additionally, implementations must provide a
 * default no-arg constructor.
+ *
+ * Note that custom implementations of {@link KafkaPrincipalBuilder}
+ * must also implement {@link KafkaPrincipalSerde}, otherwise brokers will not be able to
+ * forward requests to the controller.
 */
 public interface KafkaPrincipalBuilder {
    /**
--- a/docs/zk2kraft.html
+++ b/docs/zk2kraft.html
@ -248,6 +248,11 @@
            (<code>create.topic.policy.class.name</code> and <code>alter.config.policy.class.name</code>) on the controller.
            <p>Note: If migrating from ZooKeeper mode, ensure policy JARs are moved from brokers to controllers.</p>
        </li>
+        <li>
+            <strong>Custom implementations of <code>KafkaPrincipalBuilder</code></strong>:
+            In KRaft mode, custom implementations of <code>KafkaPrincipalBuilder</code> must also implement <code>KafkaPrincipalSerde</code>; otherwise brokers will not be able to
+            forward requests to the controller.
+        </li>
    </ul>
 </div>
 <!--#include virtual="../includes/_footer.htm" -->