From d8423d8160ed177621e8fb977a88bd3bf6ec168b Mon Sep 17 00:00:00 2001
From: rrbadiani <rbadiani@confluent.io>
Date: Wed, 9 Oct 2024 11:06:58 +0530
Subject: [PATCH] [ANSIENG-4231] | mds config changes

---
 roles/common/tasks/rbac_setup.yml |  7 +++++++
 roles/variables/vars/main.yml     | 32 ++++++++++++++++++++++++++-----
 2 files changed, 34 insertions(+), 5 deletions(-)

diff --git a/roles/common/tasks/rbac_setup.yml b/roles/common/tasks/rbac_setup.yml
index 45878bba0..bf47b55b8 100644
--- a/roles/common/tasks/rbac_setup.yml
+++ b/roles/common/tasks/rbac_setup.yml
@@ -7,6 +7,11 @@
     oauth_password: "{{ oauth_superuser_client_password }}"
     ldap_user: "{{ mds_super_user }}"
     ldap_password: "{{ mds_super_user_password }}"
+    client_cert: "{{ kafka_broker_cert_path }}"
+    client_key: "{{ kafka_broker_key_path }}"
+
+- set_fact:
+    send_client_cert: "{{ ssl_client_authentication in ['required', 'requested'] }}"
 
 - name: Get Kafka Cluster ID from Embedded Rest Proxy
   uri:
@@ -18,6 +23,8 @@
     headers:
       Content-Type: application/json
       Authorization: "Bearer {{ authorization_token }}"
+    client_cert: "{{ kafka_broker_cert_path if send_client_cert|bool else omit }}"
+    client_key: "{{ kafka_broker_key_path if send_client_cert|bool else omit }}"
   register: cluster_id_query
   until: cluster_id_query.status == 200
   retries: "{{ mds_retries }}"
diff --git a/roles/variables/vars/main.yml b/roles/variables/vars/main.yml
index 17b1f1de5..8461ed849 100644
--- a/roles/variables/vars/main.yml
+++ b/roles/variables/vars/main.yml
@@ -571,10 +571,10 @@ kafka_broker_properties:
     enabled: "{{ rbac_enabled and not external_mds_enabled and oauth_enabled and oauth_groups_claim != 'none'}}"
     properties:
       confluent.metadata.server.oauthbearer.groups.claim.name: "{{oauth_groups_claim}}"
-  rbac_mds_ssl:
-    enabled: "{{ rbac_enabled and not external_mds_enabled and oauth_enabled and mds_ssl_enabled }}"
-    properties:
-      confluent.metadata.server.ssl.endpoint.identification.algorithm: https
+  # rbac_mds_ssl:
+  #   enabled: "{{ rbac_enabled and not external_mds_enabled and oauth_enabled and mds_ssl_enabled }}"
+  #   properties:
+  #     confluent.metadata.server.ssl.endpoint.identification.algorithm: https
   rbac_mds_ldap:
     enabled: "{{ rbac_enabled and not external_mds_enabled and ( (not oauth_enabled) or (oauth_enabled and ldap_with_oauth_enabled)) }}"
     # For backwards compatibility, need to make sure ldap_config var is honored
@@ -595,6 +595,28 @@ kafka_broker_properties:
       confluent.metadata.server.ssl.keystore.type: BCFKS
       confluent.metadata.server.ssl.truststore.type: BCFKS
       confluent.metadata.server.http2.enabled: false
+  rbac_mds_mtls_only:
+    enabled: "{{ rbac_enabled and not external_mds_enabled and mds_ssl_enabled|bool and auth_mode == 'mtls' }}"
+    properties:
+      confluent.metadata.server.user.store: NONE
+  rbac_mds_client_authentication:
+    enabled: "{{ rbac_enabled and not external_mds_enabled and mds_ssl_enabled|bool and ssl_client_authentication != 'none' }}"
+    properties:
+      confluent.metadata.server.ssl.client.authentication: "{{ ssl_client_authentication | upper }}"
+  rbac_mds_impersonation_super_users:
+    enabled: "{{ rbac_enabled|bool and not external_mds_enabled|bool and impersonation_super_users|length > 0 }}"
+    properties:
+      confluent.metadata.server.impersonation.super.users: >-
+        {%- for user in impersonation_super_users -%}
+          {{ ';' if loop.index > 1}}User:{{ user }}
+        {%- endfor -%}
+  rbac_mds_impersonation_protected_users:
+    enabled: "{{ rbac_enabled|bool and not external_mds_enabled|bool and impersonation_protected_users|length > 0 }}"
+    properties:
+      confluent.metadata.server.impersonation.protected.users: >-
+        {%- for user in impersonation_protected_users -%}
+          {{ ';' if loop.index > 1}}User:{{ user }}
+        {%- endfor -%}
   rbac_mds_sso:
     enabled: "{{ rbac_enabled and not external_mds_enabled and sso_mode != 'none' }}"
     properties:
@@ -694,7 +716,7 @@ kafka_broker_properties:
       kafka.rest.public.key.path: "{{rbac_enabled_public_pem_path}}"
       kafka.rest.confluent.metadata.bootstrap.server.urls: "{{mds_bootstrap_server_urls}}"
   embedded_rest_proxy_rbac_ldap:
-    enabled: "{{ kafka_broker_rest_proxy_enabled and rbac_enabled and not oauth_enabled }}"
+    enabled: "{{ kafka_broker_rest_proxy_enabled and rbac_enabled and not auth_mode == 'ldap' }}"
     properties:
       kafka.rest.confluent.metadata.basic.auth.user.info: "{{kafka_broker_ldap_user | default('kafka') }}:{{kafka_broker_ldap_password | default('pass')}}"
       kafka.rest.confluent.metadata.http.auth.credentials.provider: BASIC