Authorizer

Authorizer is the abstraction of Kafka authorizers that Kafka brokers use to authorize actions based on access-control list (ACL).

From Wikipedia’s Access-control list:

An access-control list (ACL) is a list of permissions attached to an object.

An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.

Authorizer is configured by authorizer.class.name configuration property.

Authorizer is a Configurable.

Authorizer is a Java’s Closeable to close any resources that may have been opened (at start up).

Note	`Authorizer` abstraction is part of KIP-504 - Add new Java Authorizer Interface.

Method Description

acls

Iterable<AclBinding> acls(
  AclBindingFilter filter)

Lists ACL bindings for the provided filter (synchronously)

Used when:

JAuthorizerService is requested to list ACLs for a filter
KafkaApis is requested to handle a DescribeAcls request

authorize

List<AuthorizationResult> authorize(
  AuthorizableRequestContext requestContext,
  List<Action> actions)

Authorizes the actions performed by the request (synchronously)

Used when KafkaApis is requested to authorize, filterAuthorized, and authorizedOperations.

createAcls

List<? extends CompletionStage<AclCreateResult>> createAcls(
  AuthorizableRequestContext requestContext,
  List<AclBinding> aclBindings)

Creates new ACL bindings (asynchronously)

Used when:

JAuthorizerService is requested to add ACLs for a resource
KafkaApis is requested to handle a CreateAcls request

deleteAcls

List<? extends CompletionStage<AclDeleteResult>> deleteAcls(
  AuthorizableRequestContext requestContext,
  List<AclBindingFilter> aclBindingFilters)

Deletes all ACL bindings that match the provided filters (asynchronously)

Used when:

JAuthorizerService is requested to remove ACLs for the provided filters
KafkaApis is requested to handle a DeleteAcls request

start

Map<Endpoint, ? extends CompletionStage<Void>> start(
  AuthorizerServerInfo serverInfo)

Starts loading authorization metadata (asynchronously)

Returns futures that can be used to wait until metadata for authorizing requests on each listener is available. The future returned for each listener must return only when authorizer is ready to authorize requests on the listener.

Used when KafkaServer is requested to start up

Note	Executed after configure (as a Configurable).

Table 2. Authorizers
Authorizer	Description
AclAuthorizer	Uses Apache ZooKeeper to persist ACLs
AuthorizerWrapper	Wrapper of authorizers based on the deprecated `kafka.security.auth.Authorizer` API

Authorizer

Authorizer

results matching ""

No results matching ""