io.confluent.security.auth.metadata

Interface AuthCache

public interface AuthCache

Cache containing authorization and authentication metadata. This is obtained from a Kafka metadata topic.

Nested Class Summary

Nested Classes

Modifier and Type	Interface and Description
static class	AuthCache.Result The result of a health check call.

Method Summary

Modifier and Type	Method and Description
Collection<org.apache.kafka.common.acl.AclBinding>	aclBindings(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess) Returns ACL bindings which match the provided filter.
Map<io.confluent.security.authorizer.ResourcePattern,Set<io.confluent.security.authorizer.AccessRule>>	aclRules(io.confluent.security.authorizer.Scope scope) Returns the ACL rules for all resources of given scope
void	addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.roledefinitions.ResourceType resourceType) Adds RBAC or ACL rules for the specified principals that match the provided parameters to `matchingRules`.
default Collection<CertIdentityPool>	findCertIdentityPools(Map<String,String> parsedCertMetadata, String organizationId, String providerId) Return the cert identity pools that match the given certificate metadata and organization id.
default Collection<CertIdentityPool>	findCertIdentityPools(X509Certificate cert, String organizationId, String providerId) Return the cert identity pools that match the given certificate metadata and organization id.
default Collection<CaCertificatesKey>	findCertIdentityProviders(Certificate[] certificates, String organizationId) Return the collections of identity providers that match the provided certificate chain.
io.confluent.security.authorizer.provider.AuthorizeRule	findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action) Returns RBAC or ACL rule that matches the specified action.
Set<org.apache.kafka.common.security.auth.KafkaPrincipal>	groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal) Returns the groups of the provided session principal.
AuthCache.Result	healthcheck() health check method which returns the health of the underlying auth store
default boolean	isRevoked(Certificate[] certificates, String organizationId, String providerId) Given a chain of certificates from leaf up to root, return whether any cert in the chain is revoked.
default boolean	isRevoked(X509Certificate certificate, String organizationId, String providerId) Return whether the certificate is revoked.
Set<io.confluent.security.authorizer.Scope>	knownScopes() Returns all Scopes known by the backend, regardless of whether or not they actually exist.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal) Returns role bindings for the given principal and the principals groups across all known scopes.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Set<io.confluent.security.authorizer.Scope> scopes) Returns role bindings for the given principal and the principals groups limited to the defined set of Scopes.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter) Returns role bindings that match the specified filter.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(io.confluent.security.authorizer.Scope scope) Returns the role bindings at the specified scope.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes) Returns all the role bindings from a set of scopes.
io.confluent.security.roledefinitions.RbacRoles	rbacRoles() Returns the RBAC role definitions associated with this cache.
io.confluent.security.authorizer.Scope	rootScope() Returns the root scope of this cache.
io.confluent.security.rbac.UserMetadata	userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal) Returns metadata for the specified user principal if available or null if user is not known.
Map<org.apache.kafka.common.security.auth.KafkaPrincipal,io.confluent.security.rbac.UserMetadata>	users() Returns user metadata for all users.

Method Detail

groups

Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)

Returns the groups of the provided session principal.

Parameters:

sessionPrincipal - User principal of the session which may contains groups

Returns:

Set of group principals of the user, which may be empty

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.authorizer.Scope scope)

Returns the role bindings at the specified scope. Note that roles bindings of parent scopes are not returned. The returned collection may be empty.

Parameters:

scope - Scope for which role bindings are requested.

Returns:

Set of roles currently assigned at the specified scope

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes)

Returns all the role bindings from a set of scopes. Note that roles bindings of parent scopes are not returned. The returned collection may be empty.

Parameters:

scopes - Scopes for which role bindings are requested.

Returns:

Set of roles currently assigned at the specified scopes

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter)

Returns role bindings that match the specified filter.

Parameters:

filter - The filter used for matching role bindings

Returns:

Set of role bindings that match the filter

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal)

Returns role bindings for the given principal and the principals groups across all known scopes.

Parameters:

principal - The the principal to lookup rolebindings for

Returns:

Set of role bindings for that principal and it's groups

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal,
                                                             Set<io.confluent.security.authorizer.Scope> scopes)

Returns role bindings for the given principal and the principals groups limited to the defined set of Scopes.

Parameters:

principal - The the principal to lookup rolebindings for

Returns:

Set of role bindings for that principal and it's groups in the provided scopes

userMetadata

io.confluent.security.rbac.UserMetadata userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal)

Returns metadata for the specified user principal if available or null if user is not known.

Parameters:

userPrincipal - KafkaPrincipal of user

Returns:

user metadata including group membership

users

Map<org.apache.kafka.common.security.auth.KafkaPrincipal,io.confluent.security.rbac.UserMetadata> users()

Returns user metadata for all users.

knownScopes

Set<io.confluent.security.authorizer.Scope> knownScopes()

Returns all Scopes known by the backend, regardless of whether or not they actually exist.

Returns:

Set of all Scopes known by this AuthCache

rootScope

io.confluent.security.authorizer.Scope rootScope()

Returns the root scope of this cache. The cache discards entries with scope that is not contained within the root scope.

Returns:

root scope of cache

rbacRoles

io.confluent.security.roledefinitions.RbacRoles rbacRoles()

Returns the RBAC role definitions associated with this cache.

Returns:

RBAC role definitions

aclRules

Map<io.confluent.security.authorizer.ResourcePattern,Set<io.confluent.security.authorizer.AccessRule>> aclRules(io.confluent.security.authorizer.Scope scope)

Returns the ACL rules for all resources of given scope

Parameters:

scope - Scope of the resources

Returns:

ACL rules for all resources of given scope

aclBindings

Collection<org.apache.kafka.common.acl.AclBinding> aclBindings(io.confluent.security.authorizer.Scope scope,
                                                               org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter,
                                                               Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)

Returns ACL bindings which match the provided filter.

Parameters:

scope - Scope of the acl search.

aclBindingFilter - AclBindingFilter to match

resourceAccess - predicate to check resource access permission

Returns:

Set of ACL bindings which match the provided aclBindingFilter

findRule

io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal,
                                                                 Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                                                                 String host,
                                                                 io.confluent.security.authorizer.Action action)

Returns RBAC or ACL rule that matches the specified action.

Parameters:

userPrincipal - User principal

groupPrincipals - Set of group principals of the user

host - Client IP address

action - Action to match including resource pattern and operation

Returns:

Access rule that matches the principals and action

addMatchingRules

void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules,
                      org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal,
                      Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                      String host,
                      io.confluent.security.roledefinitions.Operation operation,
                      io.confluent.security.authorizer.Scope scope,
                      io.confluent.security.roledefinitions.ResourceType resourceType)

Adds RBAC or ACL rules for the specified principals that match the provided parameters to `matchingRules`.

findCertIdentityPools

default Collection<CertIdentityPool> findCertIdentityPools(X509Certificate cert,
                                                           String organizationId,
                                                           String providerId)

Return the cert identity pools that match the given certificate metadata and organization id. The providerId is optional to provide extra filtering.

Parameters:

cert - X509 certificate of the client

organizationId - organization id, must not be null or empty

providerId - provider id or null if not available

Returns:

Collection of cert identity pools

findCertIdentityPools

default Collection<CertIdentityPool> findCertIdentityPools(Map<String,String> parsedCertMetadata,
                                                           String organizationId,
                                                           String providerId)

Return the cert identity pools that match the given certificate metadata and organization id. The providerId is optional to provide extra filtering.

Parameters:

parsedCertMetadata - parsed certificate metadata of the client, as Common Expression Language (CEL) variables

organizationId - organization id, must not be null or empty

providerId - provider id or null if not available

Returns:

Collection of cert identity pools

findCertIdentityProviders

default Collection<CaCertificatesKey> findCertIdentityProviders(Certificate[] certificates,
                                                                String organizationId)

Return the collections of identity providers that match the provided certificate chain. Note that the function doesn't check the validity of the certificate chain. It is the caller's responsibility to ensure that the certificate chain is valid, and the order of the certificate chain is correct, i.e., from leaf to root.

Parameters:

certificates - Certificate chain, it must not be null or empty (the first certificate is the end-entity certificate)

organizationId - Organization ID, it must not be null or empty

Returns:

Collection of identity providers that match the certificate chain

isRevoked

default boolean isRevoked(X509Certificate certificate,
                          String organizationId,
                          String providerId)

Return whether the certificate is revoked.

Parameters:

certificate - X509 certificate to check for revocation

organizationId - organization id, must not be null or empty

providerId - provider id, must not be null or empty

Returns:

true if the certificate is revoked, false otherwise

isRevoked

default boolean isRevoked(Certificate[] certificates,
                          String organizationId,
                          String providerId)

Given a chain of certificates from leaf up to root, return whether any cert in the chain is revoked.

Parameters:

certificates - X509 certificate chain to check for revocation

organizationId - organization id, must not be null or empty

providerId - provider id, must not be null or empty

Returns:

true if any of the certificates in the chain is revoked, false otherwise

healthcheck

AuthCache.Result healthcheck()

health check method which returns the health of the underlying auth store

Returns:

Result object