Class AbstractAuthCache
java.lang.Object
io.confluent.security.auth.store.cache.AbstractAuthCache
- All Implemented Interfaces:
io.confluent.security.auth.metadata.AuthCache,io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,,io.confluent.security.auth.store.data.AuthValue> io.confluent.security.trustservice.store.TrustCache
- Direct Known Subclasses:
CloudAuthCache,DefaultAuthCache
public abstract class AbstractAuthCache
extends Object
implements io.confluent.security.auth.metadata.AuthCache, io.confluent.security.trustservice.store.TrustCache, io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>
Cache containing authorization and authentication metadata. This is obtained from
a Kafka metadata topic.
Assumptions:
- Updates are on a single thread, but access policies and bindings may be read from different threads concurrently.
- Single-writer model ensures that we can perform updates and deletes at resource level for role bindings, for example to add a resource to an existing role binding.
-
Nested Class Summary
Nested classes/interfaces inherited from interface io.confluent.security.auth.metadata.AuthCache
io.confluent.security.auth.metadata.AuthCache.Result -
Constructor Summary
ConstructorsConstructorDescriptionAbstractAuthCache(io.confluent.security.roledefinitions.RbacRoles rbacRoles, io.confluent.security.authorizer.Scope rootScope, AccessRuleStore rbacAccessRuleStore, AccessRuleStore aclAccessRuleStore) -
Method Summary
Modifier and TypeMethodDescriptionCollection<org.apache.kafka.common.acl.AclBinding> aclBindings(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess) Map<io.confluent.security.authorizer.ResourcePattern, Set<io.confluent.security.authorizer.AccessRule>> aclRules(io.confluent.security.authorizer.Scope scope) voidaddMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope resourceScope, io.confluent.security.roledefinitions.ResourceType resourceType) intintvoidCollection<io.confluent.security.auth.mtls.CertIdentityPool> findCertIdentityPools(X509Certificate cert, String orgId, String providerId) Collection<io.confluent.security.auth.mtls.CertIdentityPool> Collection<io.confluent.security.auth.store.data.CaCertificatesKey> findCertIdentityProviders(Certificate[] certificates, String organizationId) Collection<io.confluent.security.trustservice.store.data.IdentityPool> findIdentityPools(String providerId) findIdentityProviderIds(String organizationId) abstract io.confluent.security.authorizer.provider.AuthorizeRulefindRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action) io.confluent.security.auth.store.data.AuthValueget(io.confluent.security.auth.store.data.AuthKey key) getCertChain(Certificate[] partialChain, String organizationId) Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal) Returns the groups of the provided user principal.io.confluent.security.auth.metadata.AuthCache.Resultio.confluent.security.trustservice.store.data.IdentityPoolidentityPool(String poolId) io.confluent.security.trustservice.store.data.IdentityProvideridentityProvider(String providerId) booleanisCompleteCertChain(Certificate[] certChain, String organizationId) booleanisRevoked(Certificate[] certificates, String organizationId, String providerId) booleanisRevoked(X509Certificate certificate, String organizationId, String providerId) org.jose4j.jwk.JsonWebKeySetjsonWebKeySet(String jwtKey) Set<io.confluent.security.authorizer.Scope> Map<? extends io.confluent.security.auth.store.data.AuthKey, ? extends io.confluent.security.auth.store.data.AuthValue> io.confluent.security.auth.store.data.AuthValueput(io.confluent.security.auth.store.data.AuthKey key, io.confluent.security.auth.store.data.AuthValue value) Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.authorizer.Scope scope) Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter) Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes) Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal) Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Set<io.confluent.security.authorizer.Scope> scopes) io.confluent.security.roledefinitions.RbacRolesio.confluent.security.authentication.oidc.RefreshTokenInforefreshTokenInfo(String refreshTokenKey) io.confluent.security.auth.store.data.AuthValueremove(io.confluent.security.auth.store.data.AuthKey key) io.confluent.security.authorizer.ScopevoidsetMTlsConnectionManager(org.apache.kafka.common.security.mtls.MTlsConnectionManager mTlsConnectionManager) voidsetMTlsTruststoreManager(org.apache.kafka.common.security.mtls.MTlsTruststoreManager mTlsTruststoreManager) io.confluent.security.store.MetadataStoreStatusstatus(int partition) longlongintlonglongintio.confluent.security.rbac.UserMetadatauserMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal) Map<org.apache.kafka.common.security.auth.KafkaPrincipal, io.confluent.security.rbac.UserMetadata> users()
-
Constructor Details
-
AbstractAuthCache
public AbstractAuthCache(io.confluent.security.roledefinitions.RbacRoles rbacRoles, io.confluent.security.authorizer.Scope rootScope, AccessRuleStore rbacAccessRuleStore, AccessRuleStore aclAccessRuleStore)
-
-
Method Details
-
findRule
public abstract io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action) - Specified by:
findRulein interfaceio.confluent.security.auth.metadata.AuthCache
-
groups
public Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal) Returns the groups of the provided user principal.- Specified by:
groupsin interfaceio.confluent.security.auth.metadata.AuthCache- Parameters:
sessionPrincipal- User principal of the session which may contains groups- Returns:
- Set of group principals of the user, which may be empty
-
rbacRoleBindings
public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.authorizer.Scope scope) - Specified by:
rbacRoleBindingsin interfaceio.confluent.security.auth.metadata.AuthCache
-
rbacRoleBindings
public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes) - Specified by:
rbacRoleBindingsin interfaceio.confluent.security.auth.metadata.AuthCache
-
rbacRoleBindings
public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter) - Specified by:
rbacRoleBindingsin interfaceio.confluent.security.auth.metadata.AuthCache
-
rbacRoleBindings
public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal) - Specified by:
rbacRoleBindingsin interfaceio.confluent.security.auth.metadata.AuthCache
-
rbacRoleBindings
public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Set<io.confluent.security.authorizer.Scope> scopes) - Specified by:
rbacRoleBindingsin interfaceio.confluent.security.auth.metadata.AuthCache
-
jsonWebKeySets
- Specified by:
jsonWebKeySetsin interfaceio.confluent.security.trustservice.store.TrustCache
-
jsonWebKeySet
- Specified by:
jsonWebKeySetin interfaceio.confluent.security.trustservice.store.TrustCache
-
identityPool
- Specified by:
identityPoolin interfaceio.confluent.security.trustservice.store.TrustCache
-
identityPools
- Specified by:
identityPoolsin interfaceio.confluent.security.trustservice.store.TrustCache
-
refreshTokenInfo
public io.confluent.security.authentication.oidc.RefreshTokenInfo refreshTokenInfo(String refreshTokenKey) - Specified by:
refreshTokenInfoin interfaceio.confluent.security.trustservice.store.TrustCache
-
userMetadata
public io.confluent.security.rbac.UserMetadata userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal) - Specified by:
userMetadatain interfaceio.confluent.security.auth.metadata.AuthCache
-
users
public Map<org.apache.kafka.common.security.auth.KafkaPrincipal,io.confluent.security.rbac.UserMetadata> users()- Specified by:
usersin interfaceio.confluent.security.auth.metadata.AuthCache
-
knownScopes
- Specified by:
knownScopesin interfaceio.confluent.security.auth.metadata.AuthCache
-
rootScope
public io.confluent.security.authorizer.Scope rootScope()- Specified by:
rootScopein interfaceio.confluent.security.auth.metadata.AuthCache
-
rbacRoles
public io.confluent.security.roledefinitions.RbacRoles rbacRoles()- Specified by:
rbacRolesin interfaceio.confluent.security.auth.metadata.AuthCache
-
aclRules
public Map<io.confluent.security.authorizer.ResourcePattern,Set<io.confluent.security.authorizer.AccessRule>> aclRules(io.confluent.security.authorizer.Scope scope) - Specified by:
aclRulesin interfaceio.confluent.security.auth.metadata.AuthCache
-
aclBindings
public Collection<org.apache.kafka.common.acl.AclBinding> aclBindings(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess) - Specified by:
aclBindingsin interfaceio.confluent.security.auth.metadata.AuthCache
-
addMatchingRules
public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope resourceScope, io.confluent.security.roledefinitions.ResourceType resourceType) - Specified by:
addMatchingRulesin interfaceio.confluent.security.auth.metadata.AuthCache
-
healthcheck
public io.confluent.security.auth.metadata.AuthCache.Result healthcheck()- Specified by:
healthcheckin interfaceio.confluent.security.auth.metadata.AuthCache
-
get
public io.confluent.security.auth.store.data.AuthValue get(io.confluent.security.auth.store.data.AuthKey key) - Specified by:
getin interfaceio.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>
-
put
public io.confluent.security.auth.store.data.AuthValue put(io.confluent.security.auth.store.data.AuthKey key, io.confluent.security.auth.store.data.AuthValue value) - Specified by:
putin interfaceio.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>
-
remove
public io.confluent.security.auth.store.data.AuthValue remove(io.confluent.security.auth.store.data.AuthKey key) - Specified by:
removein interfaceio.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>
-
map
public Map<? extends io.confluent.security.auth.store.data.AuthKey,? extends io.confluent.security.auth.store.data.AuthValue> map(String type) - Specified by:
mapin interfaceio.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>
-
fail
- Specified by:
failin interfaceio.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>
-
status
public io.confluent.security.store.MetadataStoreStatus status(int partition) - Specified by:
statusin interfaceio.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey,io.confluent.security.auth.store.data.AuthValue>
-
findIdentityPools
public Collection<io.confluent.security.trustservice.store.data.IdentityPool> findIdentityPools(String providerId) - Specified by:
findIdentityPoolsin interfaceio.confluent.security.trustservice.store.TrustCache
-
findIdentityProviderIds
- Specified by:
findIdentityProviderIdsin interfaceio.confluent.security.trustservice.store.TrustCache
-
identityProvider
public io.confluent.security.trustservice.store.data.IdentityProvider identityProvider(String providerId) - Specified by:
identityProviderin interfaceio.confluent.security.trustservice.store.TrustCache
-
findCertIdentityProviders
public Collection<io.confluent.security.auth.store.data.CaCertificatesKey> findCertIdentityProviders(Certificate[] certificates, String organizationId) - Specified by:
findCertIdentityProvidersin interfaceio.confluent.security.auth.metadata.AuthCache
-
findCertIdentityPools
public Collection<io.confluent.security.auth.mtls.CertIdentityPool> findCertIdentityPools(X509Certificate cert, String orgId, String providerId) - Specified by:
findCertIdentityPoolsin interfaceio.confluent.security.auth.metadata.AuthCache
-
findCertIdentityPools
public Collection<io.confluent.security.auth.mtls.CertIdentityPool> findCertIdentityPools(Map<String, String> parsedCertMetadata, String orgId, String providerId) - Specified by:
findCertIdentityPoolsin interfaceio.confluent.security.auth.metadata.AuthCache
-
isRevoked
- Specified by:
isRevokedin interfaceio.confluent.security.auth.metadata.AuthCache
-
isRevoked
- Specified by:
isRevokedin interfaceio.confluent.security.auth.metadata.AuthCache
-
isCompleteCertChain
- Specified by:
isCompleteCertChainin interfaceio.confluent.security.auth.metadata.AuthCache
-
getCertChain
- Specified by:
getCertChainin interfaceio.confluent.security.auth.metadata.AuthCache
-
totalRoleBindings
public int totalRoleBindings() -
totalRbacAccessRules
public long totalRbacAccessRules() -
totalAclAccessRules
public long totalAclAccessRules() -
totalJwtIssuers
public int totalJwtIssuers() -
totalIdentityPools
public long totalIdentityPools() -
totalRefreshTokenInfos
public long totalRefreshTokenInfos() -
caCertificatesCount
public int caCertificatesCount() -
certIdentityPoolsCount
public int certIdentityPoolsCount() -
setMTlsTruststoreManager
public void setMTlsTruststoreManager(org.apache.kafka.common.security.mtls.MTlsTruststoreManager mTlsTruststoreManager) -
setMTlsConnectionManager
public void setMTlsConnectionManager(org.apache.kafka.common.security.mtls.MTlsConnectionManager mTlsConnectionManager)
-