AclAuthorizer¶
AclAuthorizer (kafka.security.authorizer.AclAuthorizer) is an Authorizer that uses Apache Zookeeper to persist ACLs.
Note
AclAuthorizer is available since Apache Kafka 2.4.0 (and KIP-504 - Add new Java Authorizer Interface).
Demo¶
Configuration Properties¶
allow.everyone.if.no.acl.found¶
Controls whether or not the authorizer allows access to everyone when no acls are found for a resource.
Default: false
Used when:
Default: zkConnectionTimeoutMs
Default: zookeeper.max.in.flight.requests
Default: zookeeper.session.timeout.ms
URL of the dedicated Zookeeper to store ACLs
Default: zookeeper.connect
super.users¶
A ;-separated list of KafkaPrincipals (in format type:name) of super users who are allowed to execute operations without checking ACLs (e.g., have access to all the resources for all actions from all hosts).
Default: (empty)
KafkaZkClient¶
AclAuthorizer creates a KafkaZkClient in configure and immediately requests it to createAclPaths.
This KafkaZkClient can use its own dedicated Zookeeper to store ACLs based on the configuration properties.
The KafkaZkClient is used when:
configure¶
configure(
javaConfigs: ju.Map[String, _]): Unit
configure is part of the Configurable abstraction.
configure sets up superUsers.
configure reads the authorizer-specific configuration properties and the following:
configure zkClientConfigFromKafkaConfigAndMap for a ZKClientConfig.
configure creates a KafkaZkClient (with the properties) and the following:
ACL authorizernamekafka.securitymetric groupAclAuthorizermetric type
configure requests the KafkaZkClient to createAclPaths.
configure sets up extendedAclSupport flag.
In the end, configure startZkChangeListeners and loadCache.
AclChangeSubscription Listeners¶
AclAuthorizer initializes AclChangeSubscription listeners when startZkChangeListeners.
Note
The list of AclChangeSubscription listeners is fixed.
extendedAclSupport¶
AclAuthorizer uses extendedAclSupport flag to...FIXME
isSuperUser¶
isSuperUser(
principal: KafkaPrincipal): Boolean
isSuperUser checks whether or not the KafkaPrincipal is a superuser.
If so, isSuperUser prints out the following DEBUG message to the logs and returns true.
principal = [principal] is a super user, allowing operation without checking acls.
Otherwise, isSuperUser returns false.
isSuperUser is used when:
AclAuthorizeris requested to authorizeByResourceType and authorizeAction
Logging¶
Enable ALL logging level for kafka.authorizer.logger logger to see what happens inside.
Add the following line to confing/log4j.properties:
log4j.logger.kafka.authorizer.logger=ALL
Refer to Logging.
Note
Please note that Kafka comes with a preconfigured kafka.authorizer.logger logger in config/log4j.properties:
log4j.appender.authorizerAppender=org.apache.log4j.DailyRollingFileAppender
log4j.appender.authorizerAppender.DatePattern='.'yyyy-MM-dd-HH
log4j.appender.authorizerAppender.File=${kafka.logs.dir}/kafka-authorizer.log
log4j.appender.authorizerAppender.layout=org.apache.log4j.PatternLayout
log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n
# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses
log4j.logger.kafka.authorizer.logger=INFO, authorizerAppender
log4j.additivity.kafka.authorizer.logger=false
That means that the logs of AclAuthorizer go to logs/kafka-authorizer.log file at INFO logging level and are not added to the main logs (per log4j.additivity being off).