Multi-tenant authorizer that supports:
- ACLs with TenantUser:clusterId_userId as principal
- ACLs with TenantUser*:clusterId_ as wildcard prefixed principal
- ACLs with User:* as wildcard principal (e.g. for brokers or users on other listeners)
- Resource patterns with literal resource names clusterId_resourceName
- Resource patterns with prefixed resource names clusterId_resourcePrefix
- Resource patterns with tenant wildcard resource names using prefixed name clusterId_
- Resource patterns with literal wildcard resource name "*" (e.g. for broker ACLs)
- Super users configured using the configuration option `super.users`
(e.g. for broker principals)
- Tenant super users with access to all tenant resources using tenant principals with
io.confluent.kafka.multitenant.TenantMetadata#isSuperUser
enabled.
Use of tenant prefix:
- Clients configure ACLs for User:userId
- Multi-tenant interceptor transforms User:userId to TenantUser:clusterId_userId
- ACLs are stored internally in ZooKeeper for TenantUser:clusterId_userId
- When tenants describe ACLs, prefix is removed from response by the interceptor
- Multi-tenant principal builder generates tenant principal TenantUser:clusterId_userId
- Authorizer matches TenantUser principals in ACLs obtained from ZooKeeper against
TenantUser session principal generated by the principal builder.
- Non-tenant principals (e.g broker principals) are of the form User:userId in ACLs
as well as session principals
Assumptions:
- All tenant ACLs have principals and resource names with tenant prefix
- All non-tenant (e.g. broker) ACLs have principals and resource names that do not
contain prefix of any tenant in the cluster
- Tenant principals have type TenantUser, others have type User