Skip to content

ClientIdentity

Tom Bentley edited this page May 24, 2022 · 3 revisions

Some filters need to know the identity of the client. E.g. for audit logging or config policy.

But there are multiple ways a proxy might know this:

  1. By observing a successful authentication exchange (e.g. intercepting SaslHandshake and SaslAuthenticate RPCs)
  2. By authenticating the client on the proxy itself, and having the broker trust the identity passed to it from the proxy. See the authentication use case.

In order to be pluggable, the identity-using filters shouldn't need to know which of these methods is being used.

So we need a mechanism for one filter to pass the identity to later filters in the chain.

Clone this wiki locally