io.confluent.security.auth.dataplane

Class DataplaneProvider

java.lang.Object

io.confluent.security.auth.provider.ConfluentProvider

io.confluent.security.auth.dataplane.DataplaneProvider

All Implemented Interfaces:

io.confluent.security.authorizer.AclMigrationAware, io.confluent.security.authorizer.provider.AccessRuleProvider, io.confluent.security.authorizer.provider.Auditable, io.confluent.security.authorizer.provider.GroupProvider, io.confluent.security.authorizer.provider.MetadataProvider, io.confluent.security.authorizer.provider.Provider, Closeable, AutoCloseable, org.apache.kafka.common.ClusterResourceListener, org.apache.kafka.common.Configurable, org.apache.kafka.server.authorizer.Authorizer

public class DataplaneProvider
extends ConfluentProvider

Field Summary

Fields

Modifier and Type	Field and Description
static String	PROVIDER_NAME

Fields inherited from class io.confluent.security.auth.provider.ConfluentProvider

isConfluentCloud

Constructor Summary

Constructors

Constructor and Description
DataplaneProvider()

Method Summary

Modifier and Type	Method and Description
void	addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.authorizer.ResourceType resourceType)
io.confluent.security.authorizer.Scope	authStoreScope() Set Scope.ROOT_SCOPE as we can have multiple lkcs in MT Cluster
protected io.confluent.security.auth.metadata.AuthStore	createAuthStore(io.confluent.security.authorizer.Scope rootScope, org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo, Map<String,?> configs)
io.confluent.security.authorizer.provider.AuthorizeRule	findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)
boolean	mayDeny() We dont have Deny permissions in RBAC and we don't support Centralized ACLs in CCloud
protected List<URL>	metadataServerAdvertisedListeners() Currently we don't enable MDS for DataPlane RBAC.
boolean	providerConfigured(Map<String,?> configs) Brokers running ConfluentProvider should be either: - in the metadata cluster, running MDS.
String	providerName()
boolean	usesMetadataFromThisKafkaCluster() Returns true if this broker is running the centralized Metadata Service in the embedded MetadataServer as indicated by MetadataServerConfig.METADATA_SERVER_LISTENERS_PROP.

Methods inherited from class io.confluent.security.auth.provider.ConfluentProvider

acls, asAuthorizer, auditLogProvider, authorize, authStore, close, configure, createAcls, createAcls, createMdsAdminClient, createRbacAuthorizer, deleteAcls, deleteAcls, groups, isConfluentCloud, isSuperUser, migrationTask, onUpdate, setKafkaMetrics, start, start

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.kafka.server.authorizer.Authorizer

aclCount, authorizeByResourceType

Field Detail

PROVIDER_NAME

public static final String PROVIDER_NAME

See Also:

Constant Field Values

Constructor Detail

DataplaneProvider

public DataplaneProvider()

Method Detail

providerName

public String providerName()

Specified by:

providerName in interface io.confluent.security.authorizer.provider.Provider

Overrides:

providerName in class ConfluentProvider

providerConfigured

public boolean providerConfigured(Map<String,?> configs)

Description copied from class: ConfluentProvider

Brokers running ConfluentProvider should be either: - in the metadata cluster, running MDS. These should have metadata server listeners configured. - in another cluster. These should have metadata bootstrap servers configured.

Specified by:

providerConfigured in interface io.confluent.security.authorizer.provider.GroupProvider

Specified by:

providerConfigured in interface io.confluent.security.authorizer.provider.MetadataProvider

Overrides:

providerConfigured in class ConfluentProvider

usesMetadataFromThisKafkaCluster

public boolean usesMetadataFromThisKafkaCluster()

Description copied from class: ConfluentProvider

Returns true if this broker is running the centralized Metadata Service in the embedded MetadataServer as indicated by MetadataServerConfig.METADATA_SERVER_LISTENERS_PROP. Otherwise returns false and AuthStore listens to Metadata Service in another cluster configured using KafkaStoreConfig.BOOTSTRAP_SERVERS_PROP.

Specified by:

usesMetadataFromThisKafkaCluster in interface io.confluent.security.authorizer.provider.Provider

Overrides:

usesMetadataFromThisKafkaCluster in class ConfluentProvider

createAuthStore

protected io.confluent.security.auth.metadata.AuthStore createAuthStore(io.confluent.security.authorizer.Scope rootScope,
                                                                        org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo,
                                                                        Map<String,?> configs)

Overrides:

createAuthStore in class ConfluentProvider

metadataServerAdvertisedListeners

protected List<URL> metadataServerAdvertisedListeners()

Currently we don't enable MDS for DataPlane RBAC. Return empty URL listener list to avoid parsing error when kafka internal rest enabled.

Overrides:

metadataServerAdvertisedListeners in class ConfluentProvider

authStoreScope

public io.confluent.security.authorizer.Scope authStoreScope()

Set Scope.ROOT_SCOPE as we can have multiple lkcs in MT Cluster

Overrides:

authStoreScope in class ConfluentProvider

mayDeny

public boolean mayDeny()

We dont have Deny permissions in RBAC and we don't support Centralized ACLs in CCloud

Specified by:

mayDeny in interface io.confluent.security.authorizer.provider.AccessRuleProvider

Overrides:

mayDeny in class ConfluentProvider

findRule

public io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
                                                                        Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                                                                        String host,
                                                                        io.confluent.security.authorizer.Action action)

Specified by:

findRule in interface io.confluent.security.authorizer.provider.AccessRuleProvider

Overrides:

findRule in class ConfluentProvider

addMatchingRules

public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules,
                             org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
                             Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                             String host,
                             io.confluent.security.authorizer.Operation operation,
                             io.confluent.security.authorizer.Scope scope,
                             io.confluent.security.authorizer.ResourceType resourceType)

Specified by:

addMatchingRules in interface io.confluent.security.authorizer.provider.AccessRuleProvider

Overrides:

addMatchingRules in class ConfluentProvider