Authorizer is the abstraction of Kafka authorizers that Kafka brokers use to authorize actions based on access-control list (ACL).

From Wikipedia’s Access-control list:

An access-control list (ACL) is a list of permissions attached to an object.

An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it.

Authorizer is configured by configuration property.

Authorizer is a Configurable.

Authorizer is a Java’s Closeable to close any resources that may have been opened (at start up).

Authorizer abstraction is part of KIP-504 - Add new Java Authorizer Interface.
Table 1. Authorizer Contract
Method Description


Iterable<AclBinding> acls(
  AclBindingFilter filter)

Lists ACL bindings for the provided filter (synchronously)

Used when:


List<AuthorizationResult> authorize(
  AuthorizableRequestContext requestContext,
  List<Action> actions)

Authorizes the actions performed by the request (synchronously)

Used when KafkaApis is requested to authorize, filterAuthorized, and authorizedOperations.


List<? extends CompletionStage<AclCreateResult>> createAcls(
  AuthorizableRequestContext requestContext,
  List<AclBinding> aclBindings)

Creates new ACL bindings (asynchronously)

Used when:


List<? extends CompletionStage<AclDeleteResult>> deleteAcls(
  AuthorizableRequestContext requestContext,
  List<AclBindingFilter> aclBindingFilters)

Deletes all ACL bindings that match the provided filters (asynchronously)

Used when:


Map<Endpoint, ? extends CompletionStage<Void>> start(
  AuthorizerServerInfo serverInfo)

Starts loading authorization metadata (asynchronously)

Returns futures that can be used to wait until metadata for authorizing requests on each listener is available. The future returned for each listener must return only when authorizer is ready to authorize requests on the listener.

Used when KafkaServer is requested to start up

Executed after configure (as a Configurable).
Table 2. Authorizers
Authorizer Description


Uses Apache ZooKeeper to persist ACLs


Wrapper of authorizers based on the deprecated API

results matching ""

    No results matching ""