Skip to content

AclAuthorizer

AclAuthorizer (kafka.security.authorizer.AclAuthorizer) is an Authorizer that uses Apache Zookeeper to persist ACLs.

Note

AclAuthorizer is available since Apache Kafka 2.4.0 (and KIP-504 - Add new Java Authorizer Interface).

Demo

Demo: ACL Authorization

Configuration Properties

allow.everyone.if.no.acl.found

Controls whether or not the authorizer allows access to everyone when no acls are found for a resource.

Default: false

Used when:

authorizer.zookeeper.connection.timeout.ms

Default: zkConnectionTimeoutMs

authorizer.zookeeper.max.in.flight.requests

Default: zookeeper.max.in.flight.requests

authorizer.zookeeper.session.timeout.ms

Default: zookeeper.session.timeout.ms

authorizer.zookeeper.url

URL of the dedicated Zookeeper to store ACLs

Default: zookeeper.connect

super.users

A ;-separated list of KafkaPrincipals (in format type:name) of super users who are allowed to execute operations without checking ACLs (e.g., have access to all the resources for all actions from all hosts).

Default: (empty)

KafkaZkClient

AclAuthorizer creates a KafkaZkClient in configure and immediately requests it to createAclPaths.

This KafkaZkClient can use its own dedicated Zookeeper to store ACLs based on the configuration properties.

The KafkaZkClient is used when:

configure

configure(
  javaConfigs: ju.Map[String, _]): Unit

configure is part of the Configurable abstraction.


configure sets up superUsers.

configure reads the authorizer-specific configuration properties and the following:

configure zkClientConfigFromKafkaConfigAndMap for a ZKClientConfig.

configure creates a KafkaZkClient (with the properties) and the following:

  • ACL authorizer name
  • kafka.security metric group
  • AclAuthorizer metric type

AclAuthorizer's KafkaZkClient in jconsole

configure requests the KafkaZkClient to createAclPaths.

configure sets up extendedAclSupport flag.

In the end, configure startZkChangeListeners and loadCache.

AclChangeSubscription Listeners

AclAuthorizer initializes AclChangeSubscription listeners when startZkChangeListeners.

Note

The list of AclChangeSubscription listeners is fixed.

extendedAclSupport

AclAuthorizer uses extendedAclSupport flag to...FIXME

isSuperUser

isSuperUser(
  principal: KafkaPrincipal): Boolean

isSuperUser checks whether or not the KafkaPrincipal is a superuser.

If so, isSuperUser prints out the following DEBUG message to the logs and returns true.

principal = [principal] is a super user, allowing operation without checking acls.

Otherwise, isSuperUser returns false.


isSuperUser is used when:

Logging

Enable ALL logging level for kafka.authorizer.logger logger to see what happens inside.

Add the following line to confing/log4j.properties:

log4j.logger.kafka.authorizer.logger=ALL

Refer to Logging.

Note

Please note that Kafka comes with a preconfigured kafka.authorizer.logger logger in config/log4j.properties:

log4j.appender.authorizerAppender=org.apache.log4j.DailyRollingFileAppender
log4j.appender.authorizerAppender.DatePattern='.'yyyy-MM-dd-HH
log4j.appender.authorizerAppender.File=${kafka.logs.dir}/kafka-authorizer.log
log4j.appender.authorizerAppender.layout=org.apache.log4j.PatternLayout
log4j.appender.authorizerAppender.layout.ConversionPattern=[%d] %p %m (%c)%n

# Access denials are logged at INFO level, change to DEBUG to also log allowed accesses
log4j.logger.kafka.authorizer.logger=INFO, authorizerAppender
log4j.additivity.kafka.authorizer.logger=false

That means that the logs of AclAuthorizer go to logs/kafka-authorizer.log file at INFO logging level and are not added to the main logs (per log4j.additivity being off).