diff --git a/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl b/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl index f0b72a3ec..6dd0e566e 100644 --- a/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl +++ b/apps/emqx_auth_gssapi/src/emqx_authn_gssapi_schema.erl @@ -44,9 +44,16 @@ fields(gssapi) -> required => true, desc => ?DESC(principal) })}, - {keytab_file, + {server_fqdn, ?HOCON(binary(), #{ required => true, + desc => ?DESC(server_fqdn) + })}, + {keytab_file, + ?HOCON(binary(), #{ + required => false, + %% This is hidden for now because it has to be /etc/krb5.keytab + importance => ?IMPORTANCE_HIDDEN, desc => ?DESC(keytab_file) })} ]. diff --git a/rel/i18n/emqx_authn_gssapi_schema.hocon b/rel/i18n/emqx_authn_gssapi_schema.hocon index 02c3cc847..875f8c965 100644 --- a/rel/i18n/emqx_authn_gssapi_schema.hocon +++ b/rel/i18n/emqx_authn_gssapi_schema.hocon @@ -8,8 +8,21 @@ principal { NOTE: The realm in use has to be configured in /etc/krb5.conf in EMQX nodes.~""" } +server_fqdn { + label: "Server FQDN" + desc: """~ + This is typically the network access point of the service, such as the DNS record of the load balancer endpoint. + However, it is not strictly necessary for it to be an accessible network address. + Important considerations include: + + - It must match the FQDN used in the server's Kerberos principal, e.g., `mqtt/${SERVER_FQDN}@EXAMPLE.COM`. + - The client must use this exact value to request authentication services. + + This ensures that the client and server agree on the identity being authenticated.~""" +} + keytab_file { - label: "keytab file" + label: "Keytab File" desc: """~ SASL GSSAPI authentication Kerberos keytab file path. NOTE: This file has to be placed in EMQX nodes.~"""