Class DataplaneProvider

java.lang.Object

io.confluent.security.auth.provider.ConfluentProvider

io.confluent.security.auth.dataplane.DataplaneProvider

All Implemented Interfaces:

io.confluent.security.authorizer.AclMigrationAware, io.confluent.security.authorizer.provider.AccessRuleProvider, io.confluent.security.authorizer.provider.Auditable, io.confluent.security.authorizer.provider.GroupProvider, io.confluent.security.authorizer.provider.MetadataProvider, io.confluent.security.authorizer.provider.Provider, io.confluent.security.authorizer.provider.SharedProvider, Closeable, AutoCloseable, org.apache.kafka.common.ClusterResourceListener, org.apache.kafka.common.Configurable, org.apache.kafka.metadata.authorizer.AuthorizerExternalUpdater, org.apache.kafka.server.authorizer.Authorizer

public class DataplaneProvider
extends ConfluentProvider

Field Summary

Fields

Modifier and Type	Field	Description
static final String	PROVIDER_NAME

Constructor Summary

Constructors

Constructor	Description
DataplaneProvider()

Method Summary

Modifier and Type	Method	Description
void	addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope scope, io.confluent.security.roledefinitions.ResourceType resourceType)
io.confluent.security.authorizer.Scope	authStoreScope()	Set Scope.ROOT_SCOPE as we can have multiple lkcs in MT Cluster
io.confluent.security.authorizer.provider.AuthorizeRule	findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)
Set<org.apache.kafka.common.security.auth.KafkaPrincipal>	groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)
boolean	mayDeny()	We dont have Deny permissions in RBAC and we don't support Centralized ACLs in CCloud
boolean	providerConfigured(Map<String,?> configs)	Brokers running ConfluentProvider should be either: - in the metadata cluster, running MDS.
String	providerName()
boolean	usesMetadataFromThisKafkaCluster()	Returns true if this broker or controller is running in Metadata service cluster as indicated by MetadataServerConfig.METADATA_SERVER_CONTROLLER_KRAFT_ENABLED_PROP

Methods inherited from class io.confluent.security.auth.provider.ConfluentProvider

acls, asAuthorizer, auditLogProvider, authorize, authStore, close, completeInitialLoad, configure, createAcls, createAcls, createRbacAuthorizer, deleteAcls, deleteAcls, isSuperUser, migrationTask, onUpdate, setKafkaMetrics, start, start, updateAuthCacheExternally

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.apache.kafka.server.authorizer.Authorizer

aclCount, acls, authorizeByResourceType, config, registerAclUpdateListener

Field Details

PROVIDER_NAME

public static final String PROVIDER_NAME

See Also:

• Constant Field Values

Constructor Details

DataplaneProvider

public DataplaneProvider()

Method Details

providerName

public String providerName()

Specified by:

providerName in interface io.confluent.security.authorizer.provider.Provider

Overrides:

providerName in class ConfluentProvider

providerConfigured

public boolean providerConfigured(Map<String,?> configs)

Description copied from class: ConfluentProvider

Brokers running ConfluentProvider should be either: - in the metadata cluster, running MDS. These should have metadata server listeners configured. - in another cluster. These should have metadata bootstrap servers configured.

Specified by:

providerConfigured in interface io.confluent.security.authorizer.provider.GroupProvider

Specified by:

providerConfigured in interface io.confluent.security.authorizer.provider.MetadataProvider

Overrides:

providerConfigured in class ConfluentProvider

usesMetadataFromThisKafkaCluster

public boolean usesMetadataFromThisKafkaCluster()

Description copied from class: ConfluentProvider

Returns true if this broker or controller is running in Metadata service cluster as indicated by MetadataServerConfig.METADATA_SERVER_CONTROLLER_KRAFT_ENABLED_PROP

Specified by:

usesMetadataFromThisKafkaCluster in interface io.confluent.security.authorizer.provider.Provider

Overrides:

usesMetadataFromThisKafkaCluster in class ConfluentProvider

authStoreScope

public io.confluent.security.authorizer.Scope authStoreScope()

Set Scope.ROOT_SCOPE as we can have multiple lkcs in MT Cluster

Overrides:

authStoreScope in class ConfluentProvider

mayDeny

public boolean mayDeny()

We dont have Deny permissions in RBAC and we don't support Centralized ACLs in CCloud

Specified by:

mayDeny in interface io.confluent.security.authorizer.provider.AccessRuleProvider

Overrides:

mayDeny in class ConfluentProvider

findRule

public io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
 Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
 String host,
 io.confluent.security.authorizer.Action action)

Specified by:

findRule in interface io.confluent.security.authorizer.provider.AccessRuleProvider

Overrides:

findRule in class ConfluentProvider

addMatchingRules

public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules,
 org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
 Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
 String host,
 io.confluent.security.roledefinitions.Operation operation,
 io.confluent.security.authorizer.Scope scope,
 io.confluent.security.roledefinitions.ResourceType resourceType)

Specified by:

addMatchingRules in interface io.confluent.security.authorizer.provider.AccessRuleProvider

Overrides:

addMatchingRules in class ConfluentProvider

groups

public Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)

Specified by:

groups in interface io.confluent.security.authorizer.provider.GroupProvider

Overrides:

groups in class ConfluentProvider