Package io.confluent.security.auth.metadata

Interface AuthCache

public interface AuthCache
Cache containing authorization and authentication metadata. This is obtained from a Kafka metadata topic.

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Interface
    Description
    static class 
    AuthCache.Result
    The result of a health check call.

  • Method Summary

    Modifier and Type
    Method
    Description
    Collection<org.apache.kafka.common.acl.AclBinding>
    aclBindings(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
    Returns ACL bindings which match the provided filter.
    Map<io.confluent.security.authorizer.ResourcePattern,Set<io.confluent.security.authorizer.AccessRule>>
    aclRules(io.confluent.security.authorizer.Scope scope)
    Returns the ACL rules for all resources of given scope
    void
    addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.roledefinitions.ResourceType resourceType)
    Adds RBAC or ACL rules for the specified principals that match the provided parameters to `matchingRules`.
    default Collection<CertIdentityPool>
    findCertIdentityPools(X509Certificate cert, String organizationId, String providerId)
    Return the cert identity pools that match the given certificate metadata and organization id.
    default Collection<CertIdentityPool>
    findCertIdentityPools(Map<String,String> parsedCertMetadata, String organizationId, String providerId)
    Return the cert identity pools that match the given certificate metadata and organization id.
    default Collection<CaCertificatesKey>
    findCertIdentityProviders(Certificate[] certificates, String organizationId)
    Return the collections of identity providers that match the provided certificate chain.
    io.confluent.security.authorizer.provider.AuthorizeRule
    findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)
    Returns RBAC or ACL rule that matches the specified action.
    default Certificate[]
    getCertChain(Certificate[] partialChain, String organizationId)
    Given a partial cert chain and organization id, return the complete certificate chain for the org if applicable.
    Set<org.apache.kafka.common.security.auth.KafkaPrincipal>
    groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)
    Returns the groups of the provided session principal.
    AuthCache.Result
    healthcheck()
    health check method which returns the health of the underlying auth store
    default boolean
    isCompleteCertChain(Certificate[] certChain, String organizationId)
    Check if the certificate chain is complete, which means: - all certificates in the chain must form a valid chain, i.e., each certificate in the chain is signed by the next certificate - the last certificate in the chain must be present in the trust store, i.e., there exists a cert identity provider that has the last certificate in the chain.
    default boolean
    isRevoked(Certificate[] certificates, String organizationId, String providerId)
    Given a chain of certificates from leaf up to root, return whether any cert in the chain is revoked.
    default boolean
    isRevoked(X509Certificate certificate, String organizationId, String providerId)
    Return whether the certificate is revoked.
    Set<io.confluent.security.authorizer.Scope>
    knownScopes()
    Returns all Scopes known by the backend, regardless of whether or not they actually exist.
    Set<io.confluent.security.rbac.RoleBinding>
    rbacRoleBindings(io.confluent.security.authorizer.Scope scope)
    Returns the role bindings at the specified scope.
    Set<io.confluent.security.rbac.RoleBinding>
    rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter)
    Returns role bindings that match the specified filter.
    Set<io.confluent.security.rbac.RoleBinding>
    rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes)
    Returns all the role bindings from a set of scopes.
    Set<io.confluent.security.rbac.RoleBinding>
    rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal)
    Returns role bindings for the given principal and the principals groups across all known scopes.
    Set<io.confluent.security.rbac.RoleBinding>
    rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Set<io.confluent.security.authorizer.Scope> scopes)
    Returns role bindings for the given principal and the principals groups limited to the defined set of Scopes.
    io.confluent.security.roledefinitions.RbacRoles
    rbacRoles()
    Returns the RBAC role definitions associated with this cache.
    io.confluent.security.authorizer.Scope
    rootScope()
    Returns the root scope of this cache.
    io.confluent.security.rbac.UserMetadata
    userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal)
    Returns metadata for the specified user principal if available or null if user is not known.
    Map<org.apache.kafka.common.security.auth.KafkaPrincipal,io.confluent.security.rbac.UserMetadata>
    users()
    Returns user metadata for all users.

  • Method Details

    • groups

      Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)
      Returns the groups of the provided session principal.
      Parameters:
      sessionPrincipal - User principal of the session which may contains groups
      Returns:
      Set of group principals of the user, which may be empty

    • rbacRoleBindings

      Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.authorizer.Scope scope)
      Returns the role bindings at the specified scope. Note that roles bindings of parent scopes are not returned. The returned collection may be empty.
      Parameters:
      scope - Scope for which role bindings are requested.
      Returns:
      Set of roles currently assigned at the specified scope

    • rbacRoleBindings

      Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes)
      Returns all the role bindings from a set of scopes. Note that roles bindings of parent scopes are not returned. The returned collection may be empty.
      Parameters:
      scopes - Scopes for which role bindings are requested.
      Returns:
      Set of roles currently assigned at the specified scopes

    • rbacRoleBindings

      Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter)
      Returns role bindings that match the specified filter.
      Parameters:
      filter - The filter used for matching role bindings
      Returns:
      Set of role bindings that match the filter

    • rbacRoleBindings

      Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal)
      Returns role bindings for the given principal and the principals groups across all known scopes.
      Parameters:
      principal - The the principal to lookup rolebindings for
      Returns:
      Set of role bindings for that principal and it's groups

    • rbacRoleBindings

      Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Set<io.confluent.security.authorizer.Scope> scopes)
      Returns role bindings for the given principal and the principals groups limited to the defined set of Scopes.
      Parameters:
      principal - The the principal to lookup rolebindings for
      Returns:
      Set of role bindings for that principal and it's groups in the provided scopes

    • userMetadata

      io.confluent.security.rbac.UserMetadata userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal)
      Returns metadata for the specified user principal if available or null if user is not known.
      Parameters:
      userPrincipal - KafkaPrincipal of user
      Returns:
      user metadata including group membership

    • users

      Map<org.apache.kafka.common.security.auth.KafkaPrincipal,io.confluent.security.rbac.UserMetadata> users()
      Returns user metadata for all users.

    • knownScopes

      Set<io.confluent.security.authorizer.Scope> knownScopes()
      Returns all Scopes known by the backend, regardless of whether or not they actually exist.
      Returns:
      Set of all Scopes known by this AuthCache

    • rootScope

      io.confluent.security.authorizer.Scope rootScope()
      Returns the root scope of this cache. The cache discards entries with scope that is not contained within the root scope.
      Returns:
      root scope of cache

    • rbacRoles

      io.confluent.security.roledefinitions.RbacRoles rbacRoles()
      Returns the RBAC role definitions associated with this cache.
      Returns:
      RBAC role definitions

    • aclRules

      Map<io.confluent.security.authorizer.ResourcePattern,Set<io.confluent.security.authorizer.AccessRule>> aclRules(io.confluent.security.authorizer.Scope scope)
      Returns the ACL rules for all resources of given scope
      Parameters:
      scope - Scope of the resources
      Returns:
      ACL rules for all resources of given scope

    • aclBindings

      Collection<org.apache.kafka.common.acl.AclBinding> aclBindings(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
      Returns ACL bindings which match the provided filter.
      Parameters:
      scope - Scope of the acl search.
      aclBindingFilter - AclBindingFilter to match
      resourceAccess - predicate to check resource access permission
      Returns:
      Set of ACL bindings which match the provided aclBindingFilter

    • findRule

      io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)
      Returns RBAC or ACL rule that matches the specified action.
      Parameters:
      userPrincipal - User principal
      groupPrincipals - Set of group principals of the user
      host - Client IP address
      action - Action to match including resource pattern and operation
      Returns:
      Access rule that matches the principals and action

    • addMatchingRules

      void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.roledefinitions.ResourceType resourceType)
      Adds RBAC or ACL rules for the specified principals that match the provided parameters to `matchingRules`.

    • findCertIdentityPools

      default Collection<CertIdentityPool> findCertIdentityPools(X509Certificate cert, String organizationId, String providerId)
      Return the cert identity pools that match the given certificate metadata and organization id. The providerId is optional to provide extra filtering.
      Parameters:
      cert - X509 certificate of the client
      organizationId - organization id, must not be null or empty
      providerId - provider id or null if not available
      Returns:
      Collection of cert identity pools

    • findCertIdentityPools

      default Collection<CertIdentityPool> findCertIdentityPools(Map<String,String> parsedCertMetadata, String organizationId, String providerId)
      Return the cert identity pools that match the given certificate metadata and organization id. The providerId is optional to provide extra filtering.
      Parameters:
      parsedCertMetadata - parsed certificate metadata of the client, as Common Expression Language (CEL) variables
      organizationId - organization id, must not be null or empty
      providerId - provider id or null if not available
      Returns:
      Collection of cert identity pools

    • findCertIdentityProviders

      default Collection<CaCertificatesKey> findCertIdentityProviders(Certificate[] certificates, String organizationId)
      Return the collections of identity providers that match the provided certificate chain. Note that the function doesn't check the validity of the certificate chain. It is the caller's responsibility to ensure that the certificate chain is valid, and the order of the certificate chain is correct, i.e., from leaf to root.
      Parameters:
      certificates - Certificate chain, it must not be null or empty (the first certificate is the end-entity certificate)
      organizationId - Organization ID, it must not be null or empty
      Returns:
      Collection of identity providers that match the certificate chain

    • isRevoked

      default boolean isRevoked(X509Certificate certificate, String organizationId, String providerId)
      Return whether the certificate is revoked.
      Parameters:
      certificate - X509 certificate to check for revocation
      organizationId - organization id, must not be null or empty
      providerId - provider id, must not be null or empty
      Returns:
      true if the certificate is revoked, false otherwise

    • isRevoked

      default boolean isRevoked(Certificate[] certificates, String organizationId, String providerId)
      Given a chain of certificates from leaf up to root, return whether any cert in the chain is revoked.
      Parameters:
      certificates - X509 certificate chain to check for revocation
      organizationId - organization id, must not be null or empty
      providerId - provider id, must not be null or empty
      Returns:
      true if any of the certificates in the chain is revoked, false otherwise

    • isCompleteCertChain

      default boolean isCompleteCertChain(Certificate[] certChain, String organizationId)
      Check if the certificate chain is complete, which means: - all certificates in the chain must form a valid chain, i.e., each certificate in the chain is signed by the next certificate - the last certificate in the chain must be present in the trust store, i.e., there exists a cert identity provider that has the last certificate in the chain. Note: the last certificate in the complete certificate chain is not necessarily a root CA certificate.
      Parameters:
      certChain - X509 cert chain must not be null or empty
      organizationId - organization id, must not be null or empty
      Returns:
      true if the certificate chain is complete.

    • getCertChain

      default Certificate[] getCertChain(Certificate[] partialChain, String organizationId)
      Given a partial cert chain and organization id, return the complete certificate chain for the org if applicable. A complete certificate chain is a chain of certificates that satisfies the following conditions: - all certificates in the chain must form a valid chain, i.e., each certificate in the chain is signed by the next certificate - the last certificate (CA) in the chain must be present in the trust store, i.e., there exists a cert identity provider that has the last certificate in the chain. Note: the last certificate in the complete certificate chain is not necessarily a root CA certificate.
      Parameters:
      partialChain - partial cert chain must not be null or empty, and the first certificate in the chain must be the end-entity certificate
      organizationId - organization id, must not be null or empty
      Returns:
      Certificate chain, it must not be null or empty

    • healthcheck

      AuthCache.Result healthcheck()
      health check method which returns the health of the underlying auth store
      Returns:
      Result object