Interface AuthStore

All Superinterfaces:
AutoCloseable, Closeable, org.apache.kafka.common.Configurable
public interface AuthStore extends org.apache.kafka.common.Configurable, Closeable
Store containing authorization and authentication metadata. This is backed by a Kafka metadata topic.

The reader for this store is started when the store is configured. Configurable.configure(Map) returns only after the cache associated with this store is populated with the existing contents of this store. Note that broker does not start any external listeners until this store is configured and the cache is initialized, so Configurable.configure(Map) should return immediately after initialization completes. The cache must be initialized to contain existing LDAP and RBAC metadata to avoid unexpected authorization exceptions during broker start up. In a single-cluster set up, this store must be configured to use the inter-broker listener to read the auth topic since external listeners are not started until after the cache is populated.

  • Field Details

  • Method Details

    • getInstance

      static AuthStore getInstance(String brokerSessionUuid)

    • addInstance

      static void addInstance(String brokerSessionUuid, AuthStore store, org.slf4j.Logger log)

    • removeInstance

      static void removeInstance(String brokerSessionUuid, AuthStore store, org.slf4j.Logger log)

    • startReader

      CompletionStage<Void> startReader()
      Starts the metadata reader and returns a completion stage that is completed when existing metadata from the store has been loaded into the cache. This is used by embedded authorizers in brokers as well as metadata service to start up the reader for this store.

    • startService

      CompletionStage<Void> startService(Collection<URL> serverUrls)
      Starts the metadata coordinator and writer. This is invoked only by embedded metadata server plugin and is not used by embedded authorizers in brokers that dont host a metadata server.
      Parameters:
      serverUrls - The URLs of metadata server hosting this store. Metadata server URLs must be unique across the cluster since they are used as node ids for master writer election. The URLs are also used for redirection of update requests to the current master writer of the metadata service.
      Returns:
      Completion stage that completes when the service starts up and elects a master writer.

    • authCache

      AuthCache authCache()
      Returns a cache that stores all data read from the auth topic.
      Returns:
      cache used for authentication and/or authorization

    • trustCache

      io.confluent.security.trustservice.store.TrustCache trustCache()
      Returns a trust cache that stores all OAuth related metadata from the auth topic.
      Returns:
      cache used for OAuth authentication

    • writer

      AuthWriter writer()
      Returns a writer instance that can be used to update this store. Returns null if writer is not enabled.
      Returns:
      writer instance for updating this store, which may be null if writing is not enabled.

    • isMasterWriter

      boolean isMasterWriter()
      Returns true if this node is currently the master writer.

    • masterWriterUrl

      URL masterWriterUrl(String protocol)
      Returns the URL of the master writer node for the specified protocol. Only the master writer is allowed to perform writes. Other nodes should redirect write requests to the master writer.
      Parameters:
      protocol - The protocol for which master writer is requested, e.g. https
      Returns:
      URL of current master writer. May be null if writer election is in progress.
      Throws:
      IllegalStateException - if writing is not enabled on this store

    • masterWriterId

      Integer masterWriterId()
      Returns the broker id of the master writer. AdminClient requests to update centralized metadata is sent to this broker.
      Returns:
      Broker id of current master writer. May be null if writer election is in progress.
      Throws:
      IllegalStateException - if writing is not enabled on this store

    • activeNodeUrls

      Collection<URL> activeNodeUrls(String protocol)
      Returns the collection of URLS of currently active nodes.
      Parameters:
      protocol - The protocol for which node urls are requested, e.g. https
      Throws:
      IllegalStateException - if metadata service was not started using startService(Collection)

    • updateStoreAuthCacheExternally

      default void updateStoreAuthCacheExternally(String key, String value)
      Update this authCache from externally via auth store call. Used for ExternalKafkaAuthStore as it does not have internal consumer reader.
      Parameters:
      key - string representation of the auth key
      value - string representation of the auth value