io.confluent.security.auth.provider

Class ConfluentProvider

java.lang.Object

io.confluent.security.auth.provider.ConfluentProvider

All Implemented Interfaces:

io.confluent.security.authorizer.AclMigrationAware, io.confluent.security.authorizer.provider.AccessRuleProvider, io.confluent.security.authorizer.provider.Auditable, io.confluent.security.authorizer.provider.GroupProvider, io.confluent.security.authorizer.provider.MetadataProvider, io.confluent.security.authorizer.provider.Provider, io.confluent.security.authorizer.provider.SharedProvider, Closeable, AutoCloseable, org.apache.kafka.common.ClusterResourceListener, org.apache.kafka.common.Configurable, org.apache.kafka.server.authorizer.Authorizer

Direct Known Subclasses:

DataplaneProvider

public class ConfluentProvider
extends Object
implements io.confluent.security.authorizer.provider.AccessRuleProvider, io.confluent.security.authorizer.provider.GroupProvider, io.confluent.security.authorizer.provider.MetadataProvider, org.apache.kafka.server.authorizer.Authorizer, org.apache.kafka.common.ClusterResourceListener, io.confluent.security.authorizer.provider.Auditable, io.confluent.security.authorizer.AclMigrationAware, io.confluent.security.authorizer.provider.SharedProvider

Constructor Summary

Constructors

Constructor and Description
ConfluentProvider()

Method Summary

Modifier and Type	Method and Description
Iterable<org.apache.kafka.common.acl.AclBinding>	acls(org.apache.kafka.common.acl.AclBindingFilter filter)
void	addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.authorizer.ResourceType resourceType)
Optional<org.apache.kafka.server.authorizer.Authorizer>	asAuthorizer()
void	auditLogProvider(org.apache.kafka.server.audit.AuditLogProvider auditLogProvider)
List<org.apache.kafka.server.authorizer.AuthorizationResult>	authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.server.authorizer.Action> actions)
io.confluent.security.auth.metadata.AuthStore	authStore()
io.confluent.security.authorizer.Scope	authStoreScope()
void	close()
void	configure(Map<String,?> configs)
List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>>	createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings)
List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>>	createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings, Optional<String> aclClusterId)
io.confluent.security.authorizer.EmbeddedAuthorizer	createRbacAuthorizer()
List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>>	deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters)
List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>>	deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Optional<String> aclClusterId, org.apache.kafka.common.acl.AclState aclState)
io.confluent.security.authorizer.provider.AuthorizeRule	findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)
Set<org.apache.kafka.common.security.auth.KafkaPrincipal>	groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)
boolean	isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, io.confluent.security.authorizer.Scope scope)
boolean	mayDeny()
Runnable	migrationTask(org.apache.kafka.server.authorizer.Authorizer sourceAuthorizer)
void	onUpdate(org.apache.kafka.common.ClusterResource clusterResource)
boolean	providerConfigured(Map<String,?> configs) Brokers running ConfluentProvider should be either: - in the metadata cluster, running MDS.
String	providerName()
void	setKafkaMetrics(org.apache.kafka.common.metrics.Metrics metrics)
Map<org.apache.kafka.common.Endpoint,? extends CompletionStage<Void>>	start(org.apache.kafka.server.authorizer.AuthorizerServerInfo serverInfo)
CompletionStage<Void>	start(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo) Starts the RBAC provider.
boolean	usesMetadataFromThisKafkaCluster() Returns true if this broker or controller is running in Metadata service cluster as indicated by MetadataServerConfig.METADATA_SERVER_CONTROLLER_KRAFT_ENABLED_PROP

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.kafka.server.authorizer.Authorizer

aclCount, acls, authorizeByResourceType, config, registerAclUpdateListener

Constructor Detail

ConfluentProvider

public ConfluentProvider()

Method Detail

onUpdate

public void onUpdate(org.apache.kafka.common.ClusterResource clusterResource)

Specified by:

onUpdate in interface org.apache.kafka.common.ClusterResourceListener

configure

public void configure(Map<String,?> configs)

Specified by:

configure in interface org.apache.kafka.common.Configurable

authStoreScope

public io.confluent.security.authorizer.Scope authStoreScope()

providerName

public String providerName()

Specified by:

providerName in interface io.confluent.security.authorizer.provider.Provider

providerConfigured

public boolean providerConfigured(Map<String,?> configs)

Brokers running ConfluentProvider should be either: - in the metadata cluster, running MDS. These should have metadata server listeners configured. - in another cluster. These should have metadata bootstrap servers configured.

Specified by:

providerConfigured in interface io.confluent.security.authorizer.provider.GroupProvider

Specified by:

providerConfigured in interface io.confluent.security.authorizer.provider.MetadataProvider

start

public CompletionStage<Void> start(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo)

Starts the RBAC provider.

On brokers running metadata service, the start up sequence is:

1. Start the metadata writer coordinator.
2. Master writer is started when writer is elected. First master writer creates the auth topic.
3. Start reader. Reader waits for topic to be created and then consumes from topic partitions.
4. Writer reads any external store, writes entries to auth topic and then updates status for all its partitions by writing initialized status entry to the partitions.
5. Reader completes start up when it sees the initialized status of writer on all partitions.
6. Start metadata server to support authorization in other components.
7. Complete the returned CompletionStage. Inter-broker listener is required from 1), but other listeners are started only at this point.

On brokers in non-MDS clusters, the reader starts up and waits for the writer on the metadata cluster to create and initialize the topic. Provider start future is completed when reader is initialized.

MDS brokers complete the provider's start future only when both service future and reader future have completed. If either fails, broker start up is terminated.

• New cluster with MDS enabled requires `replication.factor` active brokers to create the metadata topic and at least `min.insync.replicas` to update status. Both reader and service futures block until sufficient brokers are available and hence brokers should be started concurrently to enable start up to complete.
• During rolling restart of an existing cluster to enable MDS, writer is elected with as each broker is restarted and start up of each broker completes without waiting for MDS to be enabled in other brokers.
• If multiple brokers are configured with the same MDS URL, one broker may complete start up with a single writer. But subsequent brokers will fail start up when duplicate URLs are detected. Start up is failed immediately when an error is detected.

Specified by:

start in interface io.confluent.security.authorizer.provider.Provider

mayDeny

public boolean mayDeny()

Specified by:

mayDeny in interface io.confluent.security.authorizer.provider.AccessRuleProvider

usesMetadataFromThisKafkaCluster

public boolean usesMetadataFromThisKafkaCluster()

Returns true if this broker or controller is running in Metadata service cluster as indicated by MetadataServerConfig.METADATA_SERVER_CONTROLLER_KRAFT_ENABLED_PROP

Specified by:

usesMetadataFromThisKafkaCluster in interface io.confluent.security.authorizer.provider.Provider

isSuperUser

public boolean isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal,
                           io.confluent.security.authorizer.Scope scope)

Specified by:

isSuperUser in interface io.confluent.security.authorizer.provider.AccessRuleProvider

findRule

public io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
                                                                        Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                                                                        String host,
                                                                        io.confluent.security.authorizer.Action action)

Specified by:

findRule in interface io.confluent.security.authorizer.provider.AccessRuleProvider

addMatchingRules

public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules,
                             org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
                             Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                             String host,
                             io.confluent.security.authorizer.Operation operation,
                             io.confluent.security.authorizer.Scope scope,
                             io.confluent.security.authorizer.ResourceType resourceType)

Specified by:

addMatchingRules in interface io.confluent.security.authorizer.provider.AccessRuleProvider

groups

public Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)

Specified by:

groups in interface io.confluent.security.authorizer.provider.GroupProvider

close

public void close()

Specified by:

close in interface Closeable

Specified by:

close in interface AutoCloseable

auditLogProvider

public void auditLogProvider(org.apache.kafka.server.audit.AuditLogProvider auditLogProvider)

Specified by:

auditLogProvider in interface io.confluent.security.authorizer.provider.Auditable

authStore

public io.confluent.security.auth.metadata.AuthStore authStore()

createRbacAuthorizer

public io.confluent.security.authorizer.EmbeddedAuthorizer createRbacAuthorizer()

start

public Map<org.apache.kafka.common.Endpoint,? extends CompletionStage<Void>> start(org.apache.kafka.server.authorizer.AuthorizerServerInfo serverInfo)

Specified by:

start in interface org.apache.kafka.server.authorizer.Authorizer

authorize

public List<org.apache.kafka.server.authorizer.AuthorizationResult> authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext,
                                                                              List<org.apache.kafka.server.authorizer.Action> actions)

Specified by:

authorize in interface org.apache.kafka.server.authorizer.Authorizer

createAcls

public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext,
                                                                                                      List<org.apache.kafka.common.acl.AclBinding> aclBindings)

Specified by:

createAcls in interface org.apache.kafka.server.authorizer.Authorizer

createAcls

public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext,
                                                                                                      List<org.apache.kafka.common.acl.AclBinding> aclBindings,
                                                                                                      Optional<String> aclClusterId)

Specified by:

createAcls in interface org.apache.kafka.server.authorizer.Authorizer

deleteAcls

public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext,
                                                                                                      List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters)

Specified by:

deleteAcls in interface org.apache.kafka.server.authorizer.Authorizer

deleteAcls

public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext,
                                                                                                      List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters,
                                                                                                      Optional<String> aclClusterId,
                                                                                                      org.apache.kafka.common.acl.AclState aclState)

Specified by:

deleteAcls in interface org.apache.kafka.server.authorizer.Authorizer

acls

public Iterable<org.apache.kafka.common.acl.AclBinding> acls(org.apache.kafka.common.acl.AclBindingFilter filter)

Specified by:

acls in interface org.apache.kafka.server.authorizer.Authorizer

migrationTask

public Runnable migrationTask(org.apache.kafka.server.authorizer.Authorizer sourceAuthorizer)

Specified by:

migrationTask in interface io.confluent.security.authorizer.AclMigrationAware

setKafkaMetrics

public void setKafkaMetrics(org.apache.kafka.common.metrics.Metrics metrics)

asAuthorizer

public Optional<org.apache.kafka.server.authorizer.Authorizer> asAuthorizer()

Specified by:

asAuthorizer in interface io.confluent.security.authorizer.provider.AccessRuleProvider