Skip to content

Authorizer

Authorizer is an abstraction of broker authorizers that Kafka brokers use to authorize operations based on access-control list (ACL).

From Wikipedia's Access-control list:

An access-control list (ACL) is a list of permissions attached to an object.

An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.

Each entry in a typical ACL specifies a subject and an operation. For instance, if a file object has an ACL that contains (Alice: read,write; Bob: read), this would give Alice permission to read and write the file and Bob to only read it

Authorizer is configured by authorizer.class.name configuration property.

KIP-504

Authorizer abstraction is part of KIP-504 - Add new Java Authorizer Interface.

Contract

ACL Bindings

Iterable<AclBinding> acls(
  AclBindingFilter filter)

ACL bindings for the provided filter (synchronously)

Used when:

Authorizing Request to Execute Actions

List<AuthorizationResult> authorize(
  AuthorizableRequestContext requestContext,
  List<Action> actions)

Authorizes the actions performed by the request (synchronously)

Used when:

createAcls

List<? extends CompletionStage<AclCreateResult>> createAcls(
  AuthorizableRequestContext requestContext,
  List<AclBinding> aclBindings)

Creates new ACL bindings (asynchronously)

Used when:

deleteAcls

List<? extends CompletionStage<AclDeleteResult>> deleteAcls(
  AuthorizableRequestContext requestContext,
  List<AclBindingFilter> aclBindingFilters)

Deletes all ACL bindings matching the aclBindingFilters filters (asynchronously)

Used when:

start

Map<Endpoint, ? extends CompletionStage<Void>> start(
  AuthorizerServerInfo serverInfo)

Starts loading authorization metadata (asynchronously)

Returns futures that can be used to wait until metadata for authorizing requests on each listener is available. The future returned for each listener must return only when authorizer is ready to authorize requests on the listener.

Used when:

Implementations

Configurable

Authorizer is a Configurable.

authorizeByResourceType

AuthorizationResult authorizeByResourceType(
  AuthorizableRequestContext requestContext,
  AclOperation op,
  ResourceType resourceType)

authorizeByResourceType authorizes access to the resourceType by super users.

authorizeByResourceType creates a KafkaPrincipal (based on the PrincipalType and Name from the requestContext) and reads the request's host address. authorizeByResourceType tries to authorize the request based on the ACL bindings (with a AclBindingFilter for the resourceType and ANY pattern).


authorizeByResourceType is used when: