AclAuthorizer

AclAuthorizer (kafka.security.authorizer.AclAuthorizer) is an Authorizer that uses Apache ZooKeeper to persist ACLs.

Note
 AclAuthorizer is available since Apache Kafka 2.4.0 (KIP-504 - Add new Java Authorizer Interface).

AclAuthorizer uses properties for configuration (when KafkaServer is requested to start up).

AclAuthorizer may use its own dedicated ZooKeeper for ACLs per authorizer.zookeeper.url configuration property (that could be separate from the cluster’s ZooKeeper).

AclAuthorizer uses a dedicated KafkaZkClient to access ZooKeeper.

Tip
 Consult Demo: ACL Authorization.
Table 1. AclAuthorizer’s Configuration Properties
Name Description

allow.everyone.if.no.acl.found

Allows all users to access resources with no ACL

Default: false

authorizer.zookeeper.connection.timeout.ms

authorizer.zookeeper.max.in.flight.requests

authorizer.zookeeper.session.timeout.ms

authorizer.zookeeper.url

URL of the dedicated Zookeeper to store ACLs (that can be different from zookeeper.connect)

Default: zookeeper.connect

super.users

Semicolon-separated list of Kafka principals that are super users and have access to all the resources for all actions from all hosts.

Default: (empty)
Tip

Enable ALL logging level for kafka.authorizer.logger logger to see what happens inside.

Add the following line to config/log4j.properties:

log4j.logger.kafka.authorizer.logger=ALL

Refer to Logging.

Please note that Kafka comes with a preconfigured kafka.authorizer.logger logger in config/log4j.properties:

log4j.appender.authorizerAppender=org.apache.log4j.DailyRollingFileAppender
log4j.appender.authorizerAppender.DatePattern='.'yyyy-MM-dd-HH
log4j.appender.authorizerAppender.File=${kafka.logs.dir}/kafka-authorizer.log
log4j.appender.authorizerAppender.layout=org.apache.log4j.PatternLayout
log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n

# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses
log4j.logger.kafka.authorizer.logger=INFO, authorizerAppender
log4j.additivity.kafka.authorizer.logger=false

That means that the logs of AclAuthorizer go to logs/kafka-authorizer.log file at INFO logging level and are not added to the main logs (per log4j.additivity being off).

configure Method

configure(
  javaConfigs: util.Map[String, _]): Unit
Note
 configure is part of the Configurable contract to pass configurations.

configure creates a KafkaZkClient (using the properties in the given javaConfigs) with kafka.security metric group and AclAuthorizer metric type, and ACL authorizer logger prefix.

AclAuthorizer jconsole.png
Figure 1. AclAuthorizer’s KafkaZkClient in jconsole

configure requests the KafkaZkClient to createAclPaths.

configure startZkChangeListeners and then loadCache.

start Method

start(
  serverInfo: AuthorizerServerInfo): util.Map[Endpoint, _ <: CompletionStage[Void]]
Note
 start is part of the Authorizer contract to…​FIXME.

start…​FIXME

authorize Method

authorize(
  requestContext: AuthorizableRequestContext,
  actions: List[Action]): List[AuthorizationResult]
Note
 authorize is part of the Authorizer contract to…​FIXME.

authorize…​FIXME

createAcls Method

createAcls(
  requestContext: AuthorizableRequestContext,
  aclBindings: util.List[AclBinding]): util.List[_ <: CompletionStage[AclCreateResult]]
Note
 createAcls is part of the Authorizer contract to…​FIXME.

createAcls…​FIXME

deleteAcls Method

deleteAcls(
  requestContext: AuthorizableRequestContext,
  aclBindingFilters: util.List[AclBindingFilter]): util.List[_ <: CompletionStage[AclDeleteResult]]
Note
 deleteAcls is part of the Authorizer contract to…​FIXME.

deleteAcls…​FIXME

acls Method

acls(
  filter: AclBindingFilter): lang.Iterable[AclBinding]
Note
 acls is part of the Authorizer contract to…​FIXME.

acls…​FIXME

isSuperUser Method

isSuperUser(
  principal: KafkaPrincipal): Boolean

isSuperUser…​FIXME

Note
 isSuperUser is used when AclAuthorizer is requested to authorizeAction.

authorizeAction Internal Method

authorizeAction(
  requestContext: AuthorizableRequestContext,
  action: Action): AuthorizationResult

authorizeAction…​FIXME

Note
 authorizeAction is used when AclAuthorizer is requested to authorize.

aclsAllowAccess Internal Helper Method

aclsAllowAccess: Boolean

aclsAllowAccess is positive (true) when…​FIXME

isEmptyAclAndAuthorized Internal Helper Method

isEmptyAclAndAuthorized(acls: Set[Acl]): Boolean

isEmptyAclAndAuthorized is positive (true) when the given acls are empty and the shouldAllowEveryoneIfNoAclIsFound internal flag is positive. Otherwise, isEmptyAclAndAuthorized is negative (false).

isEmptyAclAndAuthorized prints out the following DEBUG message when positive:

No acl found for resource [resource], authorized = [shouldAllowEveryoneIfNoAclIsFound]

AclAuthorizer and KafkaZkClient

zkClient: KafkaZkClient

zkClient is a KafkaZkClient that is created and requested to createAclPaths when AclAuthorizer is requested to configure.

AclAuthorizer uses the KafkaZkClient for the following:

KafkaZkClient is requested to close when AclAuthorizer is.

startZkChangeListeners Internal Method

startZkChangeListeners(): Unit

startZkChangeListeners…​FIXME

Note
 startZkChangeListeners is used when AclAuthorizer is requested to configure.

loadCache Internal Method

loadCache(): Unit

loadCache…​FIXME

Note
 loadCache is used when AclAuthorizer is requested to configure.

updateResourceAcls Internal Method

updateResourceAcls(
  resource: Resource)(
  getNewAcls: Set[Acl] => Set[Acl]): Boolean

updateResourceAcls…​FIXME

Note
 updateResourceAcls is used when AclAuthorizer is requested to createAcls and deleteAcls.

updateAclChangedFlag Internal Method

updateAclChangedFlag(
  resource: Resource): Unit

updateAclChangedFlag…​FIXME

Note
 updateAclChangedFlag is used when AclAuthorizer is requested to updateResourceAcls.

getAclsFromZk Internal Method

getAclsFromZk(
  resource: Resource): VersionedAcls

getAclsFromZk…​FIXME

Note
 getAclsFromZk is used when AclAuthorizer is requested to…​FIXME

results matching ""

    No results matching ""