io.confluent.security.auth.store.cache

Class AbstractAuthCache

java.lang.Object

io.confluent.security.auth.store.cache.AbstractAuthCache

All Implemented Interfaces:

io.confluent.security.auth.metadata.AuthCache, io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>, io.confluent.security.trustservice.store.TrustCache

Direct Known Subclasses:

CloudAuthCache, DefaultAuthCache

public abstract class AbstractAuthCache
extends Object
implements io.confluent.security.auth.metadata.AuthCache, io.confluent.security.trustservice.store.TrustCache, io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>

Cache containing authorization and authentication metadata. This is obtained from a Kafka metadata topic. Assumptions:

• Updates are on a single thread, but access policies and bindings may be read from different threads concurrently.
• Single-writer model ensures that we can perform updates and deletes at resource level for role bindings, for example to add a resource to an existing role binding.

Nested Class Summary

Nested classes/interfaces inherited from interface io.confluent.security.auth.metadata.AuthCache

io.confluent.security.auth.metadata.AuthCache.Result

Constructor Summary

Constructors

Constructor and Description
AbstractAuthCache(io.confluent.security.roledefinitions.RbacRoles rbacRoles, io.confluent.security.authorizer.Scope rootScope, AccessRuleStore rbacAccessRuleStore, AccessRuleStore aclAccessRuleStore)

Method Summary

Modifier and Type	Method and Description
Collection<org.apache.kafka.common.acl.AclBinding>	aclBindings(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
Map<io.confluent.security.authorizer.ResourcePattern,Set<io.confluent.security.authorizer.AccessRule>>	aclRules(io.confluent.security.authorizer.Scope scope)
void	addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope resourceScope, io.confluent.security.roledefinitions.ResourceType resourceType)
int	caCertificatesCount()
int	certIdentityPoolsCount()
void	fail(int partition, String errorMessage)
Collection<io.confluent.security.auth.mtls.CertIdentityPool>	findCertIdentityPools(Map<String,String> parsedCertMetadata, String orgId, String providerId)
Collection<io.confluent.security.auth.mtls.CertIdentityPool>	findCertIdentityPools(X509Certificate cert, String orgId, String providerId)
Collection<io.confluent.security.auth.store.data.CaCertificatesKey>	findCertIdentityProviders(Certificate[] certificates, String organizationId)
abstract io.confluent.security.authorizer.provider.AuthorizeRule	findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)
io.confluent.security.auth.store.data.AuthValue	get(io.confluent.security.auth.store.data.AuthKey key)
Set<org.apache.kafka.common.security.auth.KafkaPrincipal>	groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal) Returns the groups of the provided user principal.
io.confluent.security.auth.metadata.AuthCache.Result	healthcheck()
io.confluent.security.trustservice.store.data.IdentityPool	identityPool(String poolId)
Map<String,io.confluent.security.trustservice.store.data.IdentityPool>	identityPools()
boolean	isRevoked(Certificate[] certificates, String organizationId, String providerId)
boolean	isRevoked(X509Certificate certificate, String organizationId, String providerId)
org.jose4j.jwk.JsonWebKeySet	jsonWebKeySet(String jwtKey)
Map<String,org.jose4j.jwk.JsonWebKeySet>	jsonWebKeySets()
Set<io.confluent.security.authorizer.Scope>	knownScopes()
Map<? extends io.confluent.security.auth.store.data.AuthKey,? extends io.confluent.security.auth.store.data.AuthValue>	map(String type)
io.confluent.security.auth.store.data.AuthValue	put(io.confluent.security.auth.store.data.AuthKey key, io.confluent.security.auth.store.data.AuthValue value)
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal)
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Set<io.confluent.security.authorizer.Scope> scopes)
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter)
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(io.confluent.security.authorizer.Scope scope)
Set<io.confluent.security.rbac.RoleBinding>	rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes)
io.confluent.security.roledefinitions.RbacRoles	rbacRoles()
io.confluent.security.authentication.oidc.RefreshTokenInfo	refreshTokenInfo(String refreshTokenKey)
io.confluent.security.auth.store.data.AuthValue	remove(io.confluent.security.auth.store.data.AuthKey key)
io.confluent.security.authorizer.Scope	rootScope()
void	setMTlsConnectionManager(org.apache.kafka.common.security.mtls.MTlsConnectionManager mTlsConnectionManager)
void	setMTlsTruststoreManager(org.apache.kafka.common.security.mtls.MTlsTruststoreManager mTlsTruststoreManager)
io.confluent.security.store.MetadataStoreStatus	status(int partition)
long	totalAclAccessRules()
long	totalIdentityPools()
int	totalJwtIssuers()
long	totalRbacAccessRules()
long	totalRefreshTokenInfos()
int	totalRoleBindings()
io.confluent.security.rbac.UserMetadata	userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal)
Map<org.apache.kafka.common.security.auth.KafkaPrincipal,io.confluent.security.rbac.UserMetadata>	users()

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

AbstractAuthCache

public AbstractAuthCache(io.confluent.security.roledefinitions.RbacRoles rbacRoles,
                         io.confluent.security.authorizer.Scope rootScope,
                         AccessRuleStore rbacAccessRuleStore,
                         AccessRuleStore aclAccessRuleStore)

Method Detail

findRule

public abstract io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal,
                                                                                 Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                                                                                 String host,
                                                                                 io.confluent.security.authorizer.Action action)

Specified by:

findRule in interface io.confluent.security.auth.metadata.AuthCache

groups

public Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)

Returns the groups of the provided user principal.

Specified by:

groups in interface io.confluent.security.auth.metadata.AuthCache

Parameters:

sessionPrincipal - User principal of the session which may contains groups

Returns:

Set of group principals of the user, which may be empty

rbacRoleBindings

public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.authorizer.Scope scope)

Specified by:

rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

rbacRoleBindings

public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes)

Specified by:

rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

rbacRoleBindings

public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter)

Specified by:

rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

rbacRoleBindings

public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal)

Specified by:

rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

rbacRoleBindings

public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal,
                                                                    Set<io.confluent.security.authorizer.Scope> scopes)

Specified by:

rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

jsonWebKeySets

public Map<String,org.jose4j.jwk.JsonWebKeySet> jsonWebKeySets()

Specified by:

jsonWebKeySets in interface io.confluent.security.trustservice.store.TrustCache

jsonWebKeySet

public org.jose4j.jwk.JsonWebKeySet jsonWebKeySet(String jwtKey)

Specified by:

jsonWebKeySet in interface io.confluent.security.trustservice.store.TrustCache

identityPool

public io.confluent.security.trustservice.store.data.IdentityPool identityPool(String poolId)

Specified by:

identityPool in interface io.confluent.security.trustservice.store.TrustCache

identityPools

public Map<String,io.confluent.security.trustservice.store.data.IdentityPool> identityPools()

Specified by:

identityPools in interface io.confluent.security.trustservice.store.TrustCache

refreshTokenInfo

public io.confluent.security.authentication.oidc.RefreshTokenInfo refreshTokenInfo(String refreshTokenKey)

Specified by:

refreshTokenInfo in interface io.confluent.security.trustservice.store.TrustCache

userMetadata

public io.confluent.security.rbac.UserMetadata userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal)

Specified by:

userMetadata in interface io.confluent.security.auth.metadata.AuthCache

users

public Map<org.apache.kafka.common.security.auth.KafkaPrincipal,io.confluent.security.rbac.UserMetadata> users()

Specified by:

users in interface io.confluent.security.auth.metadata.AuthCache

knownScopes

public Set<io.confluent.security.authorizer.Scope> knownScopes()

Specified by:

knownScopes in interface io.confluent.security.auth.metadata.AuthCache

rootScope

public io.confluent.security.authorizer.Scope rootScope()

Specified by:

rootScope in interface io.confluent.security.auth.metadata.AuthCache

rbacRoles

public io.confluent.security.roledefinitions.RbacRoles rbacRoles()

Specified by:

rbacRoles in interface io.confluent.security.auth.metadata.AuthCache

aclRules

public Map<io.confluent.security.authorizer.ResourcePattern,Set<io.confluent.security.authorizer.AccessRule>> aclRules(io.confluent.security.authorizer.Scope scope)

Specified by:

aclRules in interface io.confluent.security.auth.metadata.AuthCache

aclBindings

public Collection<org.apache.kafka.common.acl.AclBinding> aclBindings(io.confluent.security.authorizer.Scope scope,
                                                                      org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter,
                                                                      Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)

Specified by:

aclBindings in interface io.confluent.security.auth.metadata.AuthCache

addMatchingRules

public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules,
                             org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal,
                             Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                             String host,
                             io.confluent.security.roledefinitions.Operation operation,
                             io.confluent.security.authorizer.Scope resourceScope,
                             io.confluent.security.roledefinitions.ResourceType resourceType)

Specified by:

addMatchingRules in interface io.confluent.security.auth.metadata.AuthCache

healthcheck

public io.confluent.security.auth.metadata.AuthCache.Result healthcheck()

Specified by:

healthcheck in interface io.confluent.security.auth.metadata.AuthCache

get

public io.confluent.security.auth.store.data.AuthValue get(io.confluent.security.auth.store.data.AuthKey key)

Specified by:

get in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>

put

public io.confluent.security.auth.store.data.AuthValue put(io.confluent.security.auth.store.data.AuthKey key,
                                                           io.confluent.security.auth.store.data.AuthValue value)

Specified by:

put in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>

remove

public io.confluent.security.auth.store.data.AuthValue remove(io.confluent.security.auth.store.data.AuthKey key)

Specified by:

remove in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>

map

public Map<? extends io.confluent.security.auth.store.data.AuthKey,? extends io.confluent.security.auth.store.data.AuthValue> map(String type)

Specified by:

map in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>

fail

public void fail(int partition,
                 String errorMessage)

Specified by:

fail in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>

status

public io.confluent.security.store.MetadataStoreStatus status(int partition)

Specified by:

status in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>

findCertIdentityProviders

public Collection<io.confluent.security.auth.store.data.CaCertificatesKey> findCertIdentityProviders(Certificate[] certificates,
                                                                                                     String organizationId)

Specified by:

findCertIdentityProviders in interface io.confluent.security.auth.metadata.AuthCache

findCertIdentityPools

public Collection<io.confluent.security.auth.mtls.CertIdentityPool> findCertIdentityPools(X509Certificate cert,
                                                                                          String orgId,
                                                                                          String providerId)

Specified by:

findCertIdentityPools in interface io.confluent.security.auth.metadata.AuthCache

findCertIdentityPools

public Collection<io.confluent.security.auth.mtls.CertIdentityPool> findCertIdentityPools(Map<String,String> parsedCertMetadata,
                                                                                          String orgId,
                                                                                          String providerId)

Specified by:

findCertIdentityPools in interface io.confluent.security.auth.metadata.AuthCache

isRevoked

public boolean isRevoked(X509Certificate certificate,
                         String organizationId,
                         String providerId)

Specified by:

isRevoked in interface io.confluent.security.auth.metadata.AuthCache

isRevoked

public boolean isRevoked(Certificate[] certificates,
                         String organizationId,
                         String providerId)

Specified by:

isRevoked in interface io.confluent.security.auth.metadata.AuthCache

totalRoleBindings

public int totalRoleBindings()

totalRbacAccessRules

public long totalRbacAccessRules()

totalAclAccessRules

public long totalAclAccessRules()

totalJwtIssuers

public int totalJwtIssuers()

totalIdentityPools

public long totalIdentityPools()

totalRefreshTokenInfos

public long totalRefreshTokenInfos()

caCertificatesCount

public int caCertificatesCount()

certIdentityPoolsCount

public int certIdentityPoolsCount()

setMTlsTruststoreManager

public void setMTlsTruststoreManager(org.apache.kafka.common.security.mtls.MTlsTruststoreManager mTlsTruststoreManager)

setMTlsConnectionManager

public void setMTlsConnectionManager(org.apache.kafka.common.security.mtls.MTlsConnectionManager mTlsConnectionManager)