Mode | Protocol | Local service account | External service account |
---|---|---|---|
Anonymous | |||
GATEWAY_MANAGED | PLAINTEXT | ❌ | ❌ |
SSL | ❌ | ❌ | |
SSL with client auth (mTLS) | ❌ | ✅ | |
SSL | ❌ | ✅ | |
SASL | |||
SASL_PLAINTEXT | ✅ | only if OAUTHBEARER | |
SASL_SSL | ✅ | only if OAUTHBEARER | |
KAFKA_MANAGED | SASL_PLAINTEXT | ❌ | ✅ |
SASL_SSL | ❌ | ✅ |
DELEGATED_XXX
security protocols have been deprecated in favour of the security mode, set by an additional environment variable GATEWAY_SECURITY_MODE
. These values remain supported for backward compatibility but will be deprecated in future and are no longer the recommendation for new configurations.If you’re using DELEGATED
security protocols, see the security mode migration guide.CN=writeuser,OU=Unknown,O=Unknown,L=Unknown,ST=Unknown,C=Unknown
. You can change this by setting the GATEWAY_SSL_PRINCIPAL_MAPPING_RULES
environment variable to a customized rule. By default, it extracts the certificate distinguished name.For example, GATEWAY_SSL_PRINCIPAL_MAPPING_RULES=RULE:^CN=([a-zA-Z0-9.-]*).*$$/$$1/ , DEFAULT
will extract the CN part of the certificate.sub
in the OIDC JWT token) which can be mapped to an external service account in Gateway.
clientcredentials
.sub
of the JWT client token will be used as the principal.