Interface AuthCache

public interface AuthCache

Cache containing authorization and authentication metadata. This is obtained from a Kafka metadata topic.

Nested Class Summary

Nested Classes

Modifier and Type	Interface	Description
static class	AuthCache.Result	The result of a health check call.

Method Summary

Modifier and Type	Method	Description
Collection<org.apache.kafka.common.acl.AclBinding>	aclBindings(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)	Returns ACL bindings which match the provided filter.
Map<io.confluent.security.authorizer.ResourcePattern, Set<io.confluent.security.authorizer.AccessRule>>	aclRules(io.confluent.security.authorizer.Scope scope)	Returns the ACL rules for all resources of given scope
void	addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.roledefinitions.ResourceType resourceType)	Adds RBAC or ACL rules for the specified principals that match the provided parameters to `matchingRules`.
default Collection<CertIdentityPool>	findCertIdentityPools(X509Certificate cert, String organizationId, String providerId)	Return the cert identity pools that match the given certificate metadata and organization id.
default Collection<CertIdentityPool>	findCertIdentityPools(Map<String,String> parsedCertMetadata, String organizationId, String providerId)	Return the cert identity pools that match the given certificate metadata and organization id.
default Collection<CaCertificatesKey>	findCertIdentityProviders(Certificate[] certificates, String organizationId)	Return the collections of identity providers that match the provided certificate chain.
io.confluent.security.authorizer.provider.AuthorizeRule	findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)	Returns RBAC or ACL rule that matches the specified action.
default Certificate[]	getCertChain(Certificate[] partialChain, String organizationId)	Given a partial cert chain and organization id, return the complete certificate chain for the org if applicable.
Set<org.apache.kafka.common.security.auth.KafkaPrincipal>	groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)	Returns the groups of the provided session principal.
AuthCache.Result	healthcheck()	health check method which returns the health of the underlying auth store
default boolean	isCompleteCertChain(Certificate[] certChain, String organizationId)	Check if the certificate chain is complete, which means: - all certificates in the chain must form a valid chain, i.e., each certificate in the chain is signed by the next certificate - the last certificate in the chain must be present in the trust store, i.e., there exists a cert identity provider that has the last certificate in the chain.
default boolean	isRevoked(Certificate[] certificates, String organizationId, String providerId)	Given a chain of certificates from leaf up to root, return whether any cert in the chain is revoked.
default boolean	isRevoked(X509Certificate certificate, String organizationId, String providerId)	Return whether the certificate is revoked.
Set<io.confluent.security.authorizer.Scope>	knownScopes()	Returns all Scopes known by the backend, regardless of whether or not they actually exist.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(io.confluent.security.authorizer.Scope scope)	Returns the role bindings at the specified scope.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter)	Returns role bindings that match the specified filter.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes)	Returns all the role bindings from a set of scopes.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal)	Returns role bindings for the given principal and the principals groups across all known scopes.
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Set<io.confluent.security.authorizer.Scope> scopes)	Returns role bindings for the given principal and the principals groups limited to the defined set of Scopes.
io.confluent.security.roledefinitions.RbacRoles	rbacRoles()	Returns the RBAC role definitions associated with this cache.
io.confluent.security.authorizer.Scope	rootScope()	Returns the root scope of this cache.
void	updateAuthCacheExternally(String key, String value)
io.confluent.security.rbac.UserMetadata	userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal)	Returns metadata for the specified user principal if available or null if user is not known.
Map<org.apache.kafka.common.security.auth.KafkaPrincipal, io.confluent.security.rbac.UserMetadata>	users()	Returns user metadata for all users.

Method Details

groups

Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)

Returns the groups of the provided session principal.

Parameters:

sessionPrincipal - User principal of the session which may contains groups

Returns:

Set of group principals of the user, which may be empty

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.authorizer.Scope scope)

Returns the role bindings at the specified scope. Note that roles bindings of parent scopes are not returned. The returned collection may be empty.

Parameters:

scope - Scope for which role bindings are requested.

Returns:

Set of roles currently assigned at the specified scope

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes)

Returns all the role bindings from a set of scopes. Note that roles bindings of parent scopes are not returned. The returned collection may be empty.

Parameters:

scopes - Scopes for which role bindings are requested.

Returns:

Set of roles currently assigned at the specified scopes

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter)

Returns role bindings that match the specified filter.

Parameters:

filter - The filter used for matching role bindings

Returns:

Set of role bindings that match the filter

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal)

Returns role bindings for the given principal and the principals groups across all known scopes.

Parameters:

principal - The the principal to lookup rolebindings for

Returns:

Set of role bindings for that principal and it's groups

rbacRoleBindings

Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal,
 Set<io.confluent.security.authorizer.Scope> scopes)

Returns role bindings for the given principal and the principals groups limited to the defined set of Scopes.

Parameters:

principal - The the principal to lookup rolebindings for

Returns:

Set of role bindings for that principal and it's groups in the provided scopes

userMetadata

io.confluent.security.rbac.UserMetadata userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal)

Returns metadata for the specified user principal if available or null if user is not known.

Parameters:

userPrincipal - KafkaPrincipal of user

Returns:

user metadata including group membership

users

Map<org.apache.kafka.common.security.auth.KafkaPrincipal, io.confluent.security.rbac.UserMetadata> users()

Returns user metadata for all users.

knownScopes

Set<io.confluent.security.authorizer.Scope> knownScopes()

Returns all Scopes known by the backend, regardless of whether or not they actually exist.

Returns:

Set of all Scopes known by this AuthCache

rootScope

io.confluent.security.authorizer.Scope rootScope()

Returns the root scope of this cache. The cache discards entries with scope that is not contained within the root scope.

Returns:

root scope of cache

rbacRoles

io.confluent.security.roledefinitions.RbacRoles rbacRoles()

Returns the RBAC role definitions associated with this cache.

Returns:

RBAC role definitions

aclRules

Map<io.confluent.security.authorizer.ResourcePattern, Set<io.confluent.security.authorizer.AccessRule>> aclRules(io.confluent.security.authorizer.Scope scope)

Returns the ACL rules for all resources of given scope

Parameters:

scope - Scope of the resources

Returns:

ACL rules for all resources of given scope

aclBindings

Collection<org.apache.kafka.common.acl.AclBinding> aclBindings(io.confluent.security.authorizer.Scope scope,
 org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter,
 Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)

Returns ACL bindings which match the provided filter.

Parameters:

scope - Scope of the acl search.

aclBindingFilter - AclBindingFilter to match

resourceAccess - predicate to check resource access permission

Returns:

Set of ACL bindings which match the provided aclBindingFilter

findRule

io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal,
 Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
 String host,
 io.confluent.security.authorizer.Action action)

Returns RBAC or ACL rule that matches the specified action.

Parameters:

userPrincipal - User principal

groupPrincipals - Set of group principals of the user

host - Client IP address

action - Action to match including resource pattern and operation

Returns:

Access rule that matches the principals and action

addMatchingRules

void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules,
 org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal,
 Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
 String host,
 io.confluent.security.roledefinitions.Operation operation,
 io.confluent.security.authorizer.Scope scope,
 io.confluent.security.roledefinitions.ResourceType resourceType)

Adds RBAC or ACL rules for the specified principals that match the provided parameters to `matchingRules`.

findCertIdentityPools

default Collection<CertIdentityPool> findCertIdentityPools(X509Certificate cert,
 String organizationId,
 String providerId)

Return the cert identity pools that match the given certificate metadata and organization id. The providerId is optional to provide extra filtering.

Parameters:

cert - X509 certificate of the client

organizationId - organization id, must not be null or empty

providerId - provider id or null if not available

Returns:

Collection of cert identity pools

findCertIdentityPools

default Collection<CertIdentityPool> findCertIdentityPools(Map<String,String> parsedCertMetadata,
 String organizationId,
 String providerId)

Return the cert identity pools that match the given certificate metadata and organization id. The providerId is optional to provide extra filtering.

Parameters:

parsedCertMetadata - parsed certificate metadata of the client, as Common Expression Language (CEL) variables

organizationId - organization id, must not be null or empty

providerId - provider id or null if not available

Returns:

Collection of cert identity pools

findCertIdentityProviders

default Collection<CaCertificatesKey> findCertIdentityProviders(Certificate[] certificates,
 String organizationId)

Return the collections of identity providers that match the provided certificate chain. Note that the function doesn't check the validity of the certificate chain. It is the caller's responsibility to ensure that the certificate chain is valid, and the order of the certificate chain is correct, i.e., from leaf to root.

Parameters:

certificates - Certificate chain, it must not be null or empty (the first certificate is the end-entity certificate)

organizationId - Organization ID, it must not be null or empty

Returns:

Collection of identity providers that match the certificate chain

isRevoked

default boolean isRevoked(X509Certificate certificate,
 String organizationId,
 String providerId)

Return whether the certificate is revoked.

Parameters:

certificate - X509 certificate to check for revocation

organizationId - organization id, must not be null or empty

providerId - provider id, must not be null or empty

Returns:

true if the certificate is revoked, false otherwise

isRevoked

default boolean isRevoked(Certificate[] certificates,
 String organizationId,
 String providerId)

Given a chain of certificates from leaf up to root, return whether any cert in the chain is revoked.

Parameters:

certificates - X509 certificate chain to check for revocation

organizationId - organization id, must not be null or empty

providerId - provider id, must not be null or empty

Returns:

true if any of the certificates in the chain is revoked, false otherwise

isCompleteCertChain

default boolean isCompleteCertChain(Certificate[] certChain,
 String organizationId)

Check if the certificate chain is complete, which means: - all certificates in the chain must form a valid chain, i.e., each certificate in the chain is signed by the next certificate - the last certificate in the chain must be present in the trust store, i.e., there exists a cert identity provider that has the last certificate in the chain. Note: the last certificate in the complete certificate chain is not necessarily a root CA certificate.

Parameters:

certChain - X509 cert chain must not be null or empty

organizationId - organization id, must not be null or empty

Returns:

true if the certificate chain is complete.

getCertChain

default Certificate[] getCertChain(Certificate[] partialChain,
 String organizationId)

Given a partial cert chain and organization id, return the complete certificate chain for the org if applicable. A complete certificate chain is a chain of certificates that satisfies the following conditions: - all certificates in the chain must form a valid chain, i.e., each certificate in the chain is signed by the next certificate - the last certificate (CA) in the chain must be present in the trust store, i.e., there exists a cert identity provider that has the last certificate in the chain. Note: the last certificate in the complete certificate chain is not necessarily a root CA certificate.

Parameters:

partialChain - partial cert chain must not be null or empty, and the first certificate in the chain must be the end-entity certificate

organizationId - organization id, must not be null or empty

Returns:

Certificate chain, it must not be null or empty

healthcheck

AuthCache.Result healthcheck()

health check method which returns the health of the underlying auth store

Returns:

Result object

updateAuthCacheExternally

void updateAuthCacheExternally(String key,
 String value)
                        throws com.fasterxml.jackson.core.JsonProcessingException

Throws:

com.fasterxml.jackson.core.JsonProcessingException