Authorizer¶

Authorizer is an abstraction of broker authorizers that Kafka brokers use to authorize operations based on access-control list (ACL).

From Wikipedia's Access-control list:

An access-control list (ACL) is a list of permissions attached to an object.

An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it

Authorizer is configured by authorizer.class.name configuration property.

KIP-504

Authorizer abstraction is part of KIP-504 - Add new Java Authorizer Interface.

Contract¶

ACL Bindings¶

Iterable<AclBinding> acls(
  AclBindingFilter filter)

ACL bindings for the provided filter (synchronously)

Used when:

Authorizer is requested to authorizeByResourceType
AuthorizerService is requested to getAcls
AclApis is requested to handleDescribeAcls

Authorizing Request to Execute Actions¶

List<AuthorizationResult> authorize(
  AuthorizableRequestContext requestContext,
  List<Action> actions)

Authorizes the actions performed by the request (synchronously)

Used when:

Authorizer is requested to authorizeByResourceType
AuthHelper is requested to authorize, authorizedOperations, filterByAuthorized

createAcls¶

List<? extends CompletionStage<AclCreateResult>> createAcls(
  AuthorizableRequestContext requestContext,
  List<AclBinding> aclBindings)

Creates new ACL bindings (asynchronously)

Used when:

AuthorizerService is requested to addAcls
AclApis is requested to handleCreateAcls

deleteAcls¶

List<? extends CompletionStage<AclDeleteResult>> deleteAcls(
  AuthorizableRequestContext requestContext,
  List<AclBindingFilter> aclBindingFilters)

Deletes all ACL bindings matching the aclBindingFilters filters (asynchronously)

Used when:

AuthorizerService is requested to removeAcls
AclApis is requested to handleDeleteAcls

start¶

Map<Endpoint, ? extends CompletionStage<Void>> start(
  AuthorizerServerInfo serverInfo)

Starts loading authorization metadata (asynchronously)

Returns futures that can be used to wait until metadata for authorizing requests on each listener is available. The future returned for each listener must return only when authorizer is ready to authorize requests on the listener.

Used when:

BrokerServer is requested to start up
ControllerServer is requested to start up
KafkaServer is requested to start up

Implementations¶

Configurable¶

Authorizer is a Configurable.

authorizeByResourceType¶

AuthorizationResult authorizeByResourceType(
  AuthorizableRequestContext requestContext,
  AclOperation op,
  ResourceType resourceType)

authorizeByResourceType authorizes access to the resourceType by super users.

authorizeByResourceType creates a KafkaPrincipal (based on the PrincipalType and Name from the requestContext) and reads the request's host address. authorizeByResourceType tries to authorize the request based on the ACL bindings (with a AclBindingFilter for the resourceType and ANY pattern).

authorizeByResourceType is used when:

AuthHelper is requested to authorizeByResourceType