Authorizer

Authorizer is the abstraction of Kafka authorizers that Kafka brokers use to authorize actions based on access-control list (ACL).

From Wikipedia’s Access-control list:

An access-control list (ACL) is a list of permissions attached to an object.

An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.

Authorizer is configured by authorizer.class.name configuration property.

Authorizer is a Configurable.

Authorizer is a Java’s Closeable to close any resources that may have been opened (at start up).

Note
Authorizer abstraction is part of KIP-504 - Add new Java Authorizer Interface.
Table 1. Authorizer Contract
Method Description

acls

Iterable<AclBinding> acls(
  AclBindingFilter filter)

Lists ACL bindings for the provided filter (synchronously)

Used when:

authorize

List<AuthorizationResult> authorize(
  AuthorizableRequestContext requestContext,
  List<Action> actions)

Authorizes the actions performed by the request (synchronously)

Used when KafkaApis is requested to authorize, filterAuthorized, and authorizedOperations.

createAcls

List<? extends CompletionStage<AclCreateResult>> createAcls(
  AuthorizableRequestContext requestContext,
  List<AclBinding> aclBindings)

Creates new ACL bindings (asynchronously)

Used when:

deleteAcls

List<? extends CompletionStage<AclDeleteResult>> deleteAcls(
  AuthorizableRequestContext requestContext,
  List<AclBindingFilter> aclBindingFilters)

Deletes all ACL bindings that match the provided filters (asynchronously)

Used when:

start

Map<Endpoint, ? extends CompletionStage<Void>> start(
  AuthorizerServerInfo serverInfo)

Starts loading authorization metadata (asynchronously)

Returns futures that can be used to wait until metadata for authorizing requests on each listener is available. The future returned for each listener must return only when authorizer is ready to authorize requests on the listener.

Used when KafkaServer is requested to start up

Note
Executed after configure (as a Configurable).
Table 2. Authorizers
Authorizer Description

AclAuthorizer

Uses Apache ZooKeeper to persist ACLs

AuthorizerWrapper

Wrapper of authorizers based on the deprecated kafka.security.auth.Authorizer API

results matching ""

    No results matching ""