Class ConfluentProvider
java.lang.Object
io.confluent.security.auth.provider.ConfluentProvider
- All Implemented Interfaces:
io.confluent.security.authorizer.AclMigrationAware,io.confluent.security.authorizer.provider.AccessRuleProvider,io.confluent.security.authorizer.provider.Auditable,io.confluent.security.authorizer.provider.GroupProvider,io.confluent.security.authorizer.provider.MetadataProvider,io.confluent.security.authorizer.provider.Provider,io.confluent.security.authorizer.provider.SharedProvider,Closeable,AutoCloseable,org.apache.kafka.common.ClusterResourceListener,org.apache.kafka.common.Configurable,org.apache.kafka.server.authorizer.Authorizer
- Direct Known Subclasses:
DataplaneProvider
public class ConfluentProvider
extends Object
implements io.confluent.security.authorizer.provider.AccessRuleProvider, io.confluent.security.authorizer.provider.GroupProvider, io.confluent.security.authorizer.provider.MetadataProvider, org.apache.kafka.server.authorizer.Authorizer, org.apache.kafka.common.ClusterResourceListener, io.confluent.security.authorizer.provider.Auditable, io.confluent.security.authorizer.AclMigrationAware, io.confluent.security.authorizer.provider.SharedProvider
-
Constructor Summary
Constructors -
Method Summary
Modifier and TypeMethodDescriptionIterable<org.apache.kafka.common.acl.AclBinding> acls(org.apache.kafka.common.acl.AclBindingFilter filter) voidaddMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.roledefinitions.ResourceType resourceType) Optional<org.apache.kafka.server.authorizer.Authorizer> voidauditLogProvider(org.apache.kafka.server.audit.AuditLogProvider auditLogProvider) List<org.apache.kafka.server.authorizer.AuthorizationResult> authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.server.authorizer.Action> actions) io.confluent.security.auth.metadata.AuthStoreio.confluent.security.authorizer.Scopevoidclose()voidList<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings) List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings, Optional<String> aclClusterId) io.confluent.security.authorizer.EmbeddedAuthorizerList<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters) List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Optional<String> aclClusterId, org.apache.kafka.common.acl.AclState aclState) io.confluent.security.authorizer.provider.AuthorizeRulefindRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action) Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal) booleanisSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, io.confluent.security.authorizer.Scope scope) booleanmayDeny()migrationTask(org.apache.kafka.server.authorizer.Authorizer sourceAuthorizer) voidonUpdate(org.apache.kafka.common.ClusterResource clusterResource) booleanproviderConfigured(Map<String, ?> configs) Brokers running ConfluentProvider should be either: - in the metadata cluster, running MDS.voidsetKafkaMetrics(org.apache.kafka.common.metrics.Metrics metrics) Map<org.apache.kafka.common.Endpoint, ? extends CompletionStage<Void>> start(org.apache.kafka.server.authorizer.AuthorizerServerInfo serverInfo) start(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo) Starts the RBAC provider.booleanReturns true if this broker or controller is running in Metadata service cluster as indicated byMetadataServerConfig.METADATA_SERVER_CONTROLLER_KRAFT_ENABLED_PROPMethods inherited from class java.lang.Object
equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, waitMethods inherited from interface org.apache.kafka.server.authorizer.Authorizer
aclCount, acls, authorizeByResourceType, config, registerAclUpdateListener
-
Constructor Details
-
ConfluentProvider
public ConfluentProvider()
-
-
Method Details
-
onUpdate
public void onUpdate(org.apache.kafka.common.ClusterResource clusterResource) - Specified by:
onUpdatein interfaceorg.apache.kafka.common.ClusterResourceListener
-
configure
- Specified by:
configurein interfaceorg.apache.kafka.common.Configurable
-
authStoreScope
public io.confluent.security.authorizer.Scope authStoreScope() -
providerName
- Specified by:
providerNamein interfaceio.confluent.security.authorizer.provider.Provider
-
providerConfigured
Brokers running ConfluentProvider should be either: - in the metadata cluster, running MDS. These should have metadata server listeners configured. - in another cluster. These should have metadata bootstrap servers configured.- Specified by:
providerConfiguredin interfaceio.confluent.security.authorizer.provider.GroupProvider- Specified by:
providerConfiguredin interfaceio.confluent.security.authorizer.provider.MetadataProvider
-
start
public CompletionStage<Void> start(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo) Starts the RBAC provider.On brokers running metadata service, the start up sequence is:
- Start the metadata writer coordinator.
- Master writer is started when writer is elected. First master writer creates the auth topic.
- Start reader. Reader waits for topic to be created and then consumes from topic partitions.
- Writer reads any external store, writes entries to auth topic and then updates status for all its partitions by writing initialized status entry to the partitions.
- Reader completes start up when it sees the initialized status of writer on all partitions.
- Start metadata server to support authorization in other components.
- Complete the returned CompletionStage. Inter-broker listener is required from 1), but other listeners are started only at this point.
MDS brokers complete the provider's start future only when both service future and reader future have completed. If either fails, broker start up is terminated.
- New cluster with MDS enabled requires `replication.factor` active brokers to create the metadata topic and at least `min.insync.replicas` to update status. Both reader and service futures block until sufficient brokers are available and hence brokers should be started concurrently to enable start up to complete.
- During rolling restart of an existing cluster to enable MDS, writer is elected with as each broker is restarted and start up of each broker completes without waiting for MDS to be enabled in other brokers.
- If multiple brokers are configured with the same MDS URL, one broker may complete start up with a single writer. But subsequent brokers will fail start up when duplicate URLs are detected. Start up is failed immediately when an error is detected.
- Specified by:
startin interfaceio.confluent.security.authorizer.provider.Provider
-
mayDeny
public boolean mayDeny()- Specified by:
mayDenyin interfaceio.confluent.security.authorizer.provider.AccessRuleProvider
-
usesMetadataFromThisKafkaCluster
public boolean usesMetadataFromThisKafkaCluster()Returns true if this broker or controller is running in Metadata service cluster as indicated byMetadataServerConfig.METADATA_SERVER_CONTROLLER_KRAFT_ENABLED_PROP- Specified by:
usesMetadataFromThisKafkaClusterin interfaceio.confluent.security.authorizer.provider.Provider
-
isSuperUser
public boolean isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, io.confluent.security.authorizer.Scope scope) - Specified by:
isSuperUserin interfaceio.confluent.security.authorizer.provider.AccessRuleProvider
-
findRule
public io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action) - Specified by:
findRulein interfaceio.confluent.security.authorizer.provider.AccessRuleProvider
-
addMatchingRules
public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.roledefinitions.ResourceType resourceType) - Specified by:
addMatchingRulesin interfaceio.confluent.security.authorizer.provider.AccessRuleProvider
-
groups
public Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal) - Specified by:
groupsin interfaceio.confluent.security.authorizer.provider.GroupProvider
-
close
public void close()- Specified by:
closein interfaceAutoCloseable- Specified by:
closein interfaceCloseable
-
auditLogProvider
public void auditLogProvider(org.apache.kafka.server.audit.AuditLogProvider auditLogProvider) - Specified by:
auditLogProviderin interfaceio.confluent.security.authorizer.provider.Auditable
-
authStore
public io.confluent.security.auth.metadata.AuthStore authStore() -
createRbacAuthorizer
public io.confluent.security.authorizer.EmbeddedAuthorizer createRbacAuthorizer() -
start
public Map<org.apache.kafka.common.Endpoint,? extends CompletionStage<Void>> start(org.apache.kafka.server.authorizer.AuthorizerServerInfo serverInfo) - Specified by:
startin interfaceorg.apache.kafka.server.authorizer.Authorizer
-
authorize
public List<org.apache.kafka.server.authorizer.AuthorizationResult> authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.server.authorizer.Action> actions) - Specified by:
authorizein interfaceorg.apache.kafka.server.authorizer.Authorizer
-
createAcls
public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings) - Specified by:
createAclsin interfaceorg.apache.kafka.server.authorizer.Authorizer
-
createAcls
public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings, Optional<String> aclClusterId) - Specified by:
createAclsin interfaceorg.apache.kafka.server.authorizer.Authorizer
-
deleteAcls
public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters) - Specified by:
deleteAclsin interfaceorg.apache.kafka.server.authorizer.Authorizer
-
deleteAcls
public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Optional<String> aclClusterId, org.apache.kafka.common.acl.AclState aclState) - Specified by:
deleteAclsin interfaceorg.apache.kafka.server.authorizer.Authorizer
-
acls
public Iterable<org.apache.kafka.common.acl.AclBinding> acls(org.apache.kafka.common.acl.AclBindingFilter filter) - Specified by:
aclsin interfaceorg.apache.kafka.server.authorizer.Authorizer
-
migrationTask
- Specified by:
migrationTaskin interfaceio.confluent.security.authorizer.AclMigrationAware
-
setKafkaMetrics
public void setKafkaMetrics(org.apache.kafka.common.metrics.Metrics metrics) -
asAuthorizer
- Specified by:
asAuthorizerin interfaceio.confluent.security.authorizer.provider.AccessRuleProvider
-