Interface AuthWriter

public interface AuthWriter
Writer interface used by Metadata Server to update role bindings. All update methods are asynchronous and the returned future completes when the update has been written to log, acknowledged and has been consumed by the local reader. Update methods may block for writer to be ready if a rebalance is in progress. Incremental update methods will also block until local cache is up-to-date.

  • Method Summary

    Modifier and Type
    Method
    Description
    CompletionStage<Void>
    addClusterRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, String reason)
    Adds a new cluster-level role binding without any resources.
    default CompletionStage<Void>
    addClusterRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope)
     
    CompletionStage<Void>
    addResourceRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePattern> resources, String reason)
    Adds resources to a role binding.
    default CompletionStage<Void>
    addResourceRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePattern> resources)
     
    default Map<org.apache.kafka.common.acl.AclBinding, CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>>
    createAcls(io.confluent.security.authorizer.Scope scope, List<org.apache.kafka.common.acl.AclBinding> aclBindings)
     
    default CompletionStage<Void>
    createAcls(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBinding aclBinding)
     
    Map<org.apache.kafka.common.acl.AclBinding, CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>>
    createAcls(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, io.confluent.security.authorizer.Scope scope, List<org.apache.kafka.common.acl.AclBinding> aclBindings)
    Creates ACLs for the specified scope using the minimal number of batched updates.
    CompletionStage<Void>
    createAcls(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBinding aclBinding)
    Creates ACL rules for a given AclBinding.
    default Map<org.apache.kafka.common.acl.AclBindingFilter, CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>>
    deleteAcls(io.confluent.security.authorizer.Scope scope, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
     
    default CompletionStage<Collection<org.apache.kafka.common.acl.AclBinding>>
    deleteAcls(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
     
    Map<org.apache.kafka.common.acl.AclBindingFilter, CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>>
    deleteAcls(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, io.confluent.security.authorizer.Scope scope, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
    Deletes ACLs that match any of the provided filters using batched update.
    CompletionStage<Collection<org.apache.kafka.common.acl.AclBinding>>
    deleteAcls(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
    Deletes all ACL rules that match the provided filters.
    CompletionStage<Void>
    removeResourceRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePatternFilter> resources, String reason)
    Removes resources from an existing role binding.
    default CompletionStage<Void>
    removeResourceRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePatternFilter> resources)
     
    CompletionStage<Void>
    removeRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, String reason)
    Removes a role binding.
    default CompletionStage<Void>
    removeRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope)
     
    CompletionStage<Void>
    replaceResourceRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePattern> resources, String reason)
    Sets resources for an existing role binding.
    default CompletionStage<Void>
    replaceResourceRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePattern> resources)
     

  • Method Details

    • addClusterRoleBinding

      CompletionStage<Void> addClusterRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, String reason)
      Adds a new cluster-level role binding without any resources.

      Requestor should have Alter permission for SecurityMetadata to perform this operation.

      Parameters:
      requestorPrincipal - Optional principal of the requestor
      principal - User or group principal to which role is assigned
      role - Name of role
      scope - Scope at which role is assigned
      Returns:
      a stage that is completed when update completes
      Throws:
      org.apache.kafka.common.errors.InvalidRequestException - if the specified role has resource-level scope

    • addClusterRoleBinding

      default CompletionStage<Void> addClusterRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope)

    • addResourceRoleBinding

      CompletionStage<Void> addResourceRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePattern> resources, String reason)
      Adds resources to a role binding. If the role is not already assigned to the principal, an binding will be added with the specified resources. If an binding exists, the provided roles will be added to the list of resources. This method will block until the local cache is up-to-date and the new binding is queued for update with the updated resources.

      Requestor should have AlterAccess permission for the specified resources to perform this operation.

      Parameters:
      requestorPrincipal - Optional principal of the requestor
      principal - User or group principal to which role is assigned
      role - Name of role
      scope - Scope at which role is assigned
      resources - Resources to add to role binding
      Returns:
      a stage that is completed when update completes
      Throws:
      org.apache.kafka.common.errors.InvalidRequestException - if the specified role has cluster-level scope

    • addResourceRoleBinding

      default CompletionStage<Void> addResourceRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePattern> resources)

    • removeRoleBinding

      CompletionStage<Void> removeRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, String reason)
      Removes a role binding. If the specified role has resource-level scope, role binding is removed for all assigned resources.

      Requestor should have Alter permission for SecurityMetadata to perform this operation.

      Parameters:
      requestorPrincipal - Optional principal of the requestor
      principal - User or group principal from which role is removed
      role - Name of role
      scope - Scope at which role is assigned
      Returns:
      a stage that is completed when update completes

    • removeRoleBinding

      default CompletionStage<Void> removeRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope)

    • removeResourceRoleBinding

      CompletionStage<Void> removeResourceRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePatternFilter> resources, String reason)
      Removes resources from an existing role binding. If the principal has no more resources for the role at the specified scope, the role binding is deleted. This method will block until the local cache is up-to-date and a new binding is queued with the updated resources.

      Requestor should have AlterAccess permission for the specified resources to perform this operation.

      Parameters:
      requestorPrincipal - Optional principal of the requestor
      principal - User or group principal from which role is removed
      role - Name of role
      scope - Scope at which role is assigned
      resources - Filter for resources being removed for the role binding
      Returns:
      a stage that is completed when update completes
      Throws:
      org.apache.kafka.common.errors.InvalidRequestException - if the specified role has cluster-level scope

    • removeResourceRoleBinding

      default CompletionStage<Void> removeResourceRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePatternFilter> resources)

    • replaceResourceRoleBinding

      CompletionStage<Void> replaceResourceRoleBinding(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePattern> resources, String reason)
      Sets resources for an existing role binding. If the role is not assigned to the principal, a new role binding is created with the provided set of resources.

      Requestor should have Alter permission for SecurityMetadata to perform this operation.

      Parameters:
      requestorPrincipal - Optional principal of the requestor
      principal - User or group principal to which role is assigned
      role - Name of role
      scope - Scope at which role is assigned
      resources - Updated collection of resources for the role binding
      Returns:
      a stage that is completed when update completes
      Throws:
      org.apache.kafka.common.errors.InvalidRequestException - if the specified role has cluster-level scope

    • replaceResourceRoleBinding

      default CompletionStage<Void> replaceResourceRoleBinding(org.apache.kafka.common.security.auth.KafkaPrincipal principal, String role, io.confluent.security.authorizer.Scope scope, Collection<io.confluent.security.authorizer.ResourcePattern> resources)

    • createAcls

      CompletionStage<Void> createAcls(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBinding aclBinding)
      Creates ACL rules for a given AclBinding. This method will block until the local cache is up-to-date and the new binding is queued for update with the updated rules.

      Requestor should have AlterAccess permission for the specified resources to perform this operation.

      Parameters:
      requestorPrincipal - Optional principal of the requestor
      scope - Scope at which ACL bindings are added
      aclBinding - AclBinding to add
      Returns:
      a stage that is completed when update completes

    • createAcls

      default CompletionStage<Void> createAcls(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBinding aclBinding)

    • createAcls

      Map<org.apache.kafka.common.acl.AclBinding, CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, io.confluent.security.authorizer.Scope scope, List<org.apache.kafka.common.acl.AclBinding> aclBindings)
      Creates ACLs for the specified scope using the minimal number of batched updates. This method should not block since it is invoked on the broker's request thread while processing AdminClient requests to create ACLs.

      Requestor should have AlterAccess permission for the specified resources to perform this operation.

      Parameters:
      requestorPrincipal - Optional principal of the requestor
      scope - Scope at which ACL bindings are added
      aclBindings - List of ACLs to create
      Returns:
      completion stages for each binding

    • createAcls

      default Map<org.apache.kafka.common.acl.AclBinding, CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(io.confluent.security.authorizer.Scope scope, List<org.apache.kafka.common.acl.AclBinding> aclBindings)

    • deleteAcls

      CompletionStage<Collection<org.apache.kafka.common.acl.AclBinding>> deleteAcls(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
      Deletes all ACL rules that match the provided filters. This method will block until the local cache is up-to-date and the new binding is queued for update with the updated rules.

      Requestor should have AlterAccess permission for the specified resources to perform this operation.

      Parameters:
      requestorPrincipal - Optional principal of the requestor
      scope - Scope at which ACL bindings are deleted
      aclBindingFilter - AclBindingFilter to match the rules
      resourceAccess - predicate to check delete permission on resources
      Returns:
      a stage that is completed when update completes

    • deleteAcls

      default CompletionStage<Collection<org.apache.kafka.common.acl.AclBinding>> deleteAcls(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)

    • deleteAcls

      Map<org.apache.kafka.common.acl.AclBindingFilter, CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(Optional<org.apache.kafka.common.security.auth.KafkaPrincipal> requestorPrincipal, io.confluent.security.authorizer.Scope scope, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
      Deletes ACLs that match any of the provided filters using batched update. This method should not block since it is invoked on the broker's request thread while processing AdminClient requests to delete ACLs.
      Parameters:
      requestorPrincipal - Optional principal of the requestor
      scope - Scope at which ACL bindings are added
      aclBindingFilters - Filters whose matching ACLs are deleted
      resourceAccess - predicate to check delete permission on resources
      Returns:
      completion stages for each matching binding

    • deleteAcls

      default Map<org.apache.kafka.common.acl.AclBindingFilter, CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(io.confluent.security.authorizer.Scope scope, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)