Class AbstractAuthCache

java.lang.Object
io.confluent.security.auth.store.cache.AbstractAuthCache
All Implemented Interfaces:
io.confluent.security.auth.metadata.AuthCache, io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey, io.confluent.security.auth.store.data.AuthValue>, io.confluent.security.trustservice.store.TrustCache
Direct Known Subclasses:
CloudAuthCache, DefaultAuthCache
public abstract class AbstractAuthCache extends Object implements io.confluent.security.auth.metadata.AuthCache, io.confluent.security.trustservice.store.TrustCache, io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey, io.confluent.security.auth.store.data.AuthValue>
Cache containing authorization and authentication metadata. This is obtained from a Kafka metadata topic. Assumptions:
  • Updates are on a single thread, but access policies and bindings may be read from different threads concurrently.
  • Single-writer model ensures that we can perform updates and deletes at resource level for role bindings, for example to add a resource to an existing role binding.

  • Constructor Details

    • AbstractAuthCache

      public AbstractAuthCache(io.confluent.security.roledefinitions.RbacRoles rbacRoles, io.confluent.security.authorizer.Scope rootScope, AccessRuleStore rbacAccessRuleStore, AccessRuleStore aclAccessRuleStore)

  • Method Details

    • findRule

      public abstract io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)
      Specified by:
      findRule in interface io.confluent.security.auth.metadata.AuthCache

    • groups

      public Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groups(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal)
      Returns the groups of the provided user principal.
      Specified by:
      groups in interface io.confluent.security.auth.metadata.AuthCache
      Parameters:
      sessionPrincipal - User principal of the session which may contains groups
      Returns:
      Set of group principals of the user, which may be empty

    • rbacRoleBindings

      public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.authorizer.Scope scope)
      Specified by:
      rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

    • rbacRoleBindings

      public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(Set<io.confluent.security.authorizer.Scope> scopes)
      Specified by:
      rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

    • rbacRoleBindings

      public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(io.confluent.security.rbac.RoleBindingFilter filter)
      Specified by:
      rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

    • rbacRoleBindings

      public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal)
      Specified by:
      rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

    • rbacRoleBindings

      public Set<io.confluent.security.rbac.RoleBinding> rbacRoleBindings(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Set<io.confluent.security.authorizer.Scope> scopes)
      Specified by:
      rbacRoleBindings in interface io.confluent.security.auth.metadata.AuthCache

    • jsonWebKeySets

      public Map<String, org.jose4j.jwk.JsonWebKeySet> jsonWebKeySets()
      Specified by:
      jsonWebKeySets in interface io.confluent.security.trustservice.store.TrustCache

    • jsonWebKeySet

      public org.jose4j.jwk.JsonWebKeySet jsonWebKeySet(String jwtKey)
      Specified by:
      jsonWebKeySet in interface io.confluent.security.trustservice.store.TrustCache

    • identityPool

      public io.confluent.security.trustservice.store.data.IdentityPool identityPool(String poolId)
      Specified by:
      identityPool in interface io.confluent.security.trustservice.store.TrustCache

    • identityPools

      public Map<String, io.confluent.security.trustservice.store.data.IdentityPool> identityPools()
      Specified by:
      identityPools in interface io.confluent.security.trustservice.store.TrustCache

    • refreshTokenInfo

      public io.confluent.security.authentication.oidc.RefreshTokenInfo refreshTokenInfo(String refreshTokenKey)
      Specified by:
      refreshTokenInfo in interface io.confluent.security.trustservice.store.TrustCache

    • userMetadata

      public io.confluent.security.rbac.UserMetadata userMetadata(org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal)
      Specified by:
      userMetadata in interface io.confluent.security.auth.metadata.AuthCache

    • users

      public Map<org.apache.kafka.common.security.auth.KafkaPrincipal, io.confluent.security.rbac.UserMetadata> users()
      Specified by:
      users in interface io.confluent.security.auth.metadata.AuthCache

    • knownScopes

      public Set<io.confluent.security.authorizer.Scope> knownScopes()
      Specified by:
      knownScopes in interface io.confluent.security.auth.metadata.AuthCache

    • rootScope

      public io.confluent.security.authorizer.Scope rootScope()
      Specified by:
      rootScope in interface io.confluent.security.auth.metadata.AuthCache

    • rbacRoles

      public io.confluent.security.roledefinitions.RbacRoles rbacRoles()
      Specified by:
      rbacRoles in interface io.confluent.security.auth.metadata.AuthCache

    • aclRules

      public Map<io.confluent.security.authorizer.ResourcePattern, Set<io.confluent.security.authorizer.AccessRule>> aclRules(io.confluent.security.authorizer.Scope scope)
      Specified by:
      aclRules in interface io.confluent.security.auth.metadata.AuthCache

    • aclBindings

      public Collection<org.apache.kafka.common.acl.AclBinding> aclBindings(io.confluent.security.authorizer.Scope scope, org.apache.kafka.common.acl.AclBindingFilter aclBindingFilter, Predicate<io.confluent.security.authorizer.ResourcePattern> resourceAccess)
      Specified by:
      aclBindings in interface io.confluent.security.auth.metadata.AuthCache

    • addMatchingRules

      public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal userPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope resourceScope, io.confluent.security.roledefinitions.ResourceType resourceType)
      Specified by:
      addMatchingRules in interface io.confluent.security.auth.metadata.AuthCache

    • healthcheck

      public io.confluent.security.auth.metadata.AuthCache.Result healthcheck()
      Specified by:
      healthcheck in interface io.confluent.security.auth.metadata.AuthCache

    • get

      public io.confluent.security.auth.store.data.AuthValue get(io.confluent.security.auth.store.data.AuthKey key)
      Specified by:
      get in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey, io.confluent.security.auth.store.data.AuthValue>

    • updateAuthCacheExternally

      public void updateAuthCacheExternally(byte[] key, byte[] value) throws IOException
      Specified by:
      updateAuthCacheExternally in interface io.confluent.security.auth.metadata.AuthCache
      Throws:
      IOException

    • put

      public io.confluent.security.auth.store.data.AuthValue put(io.confluent.security.auth.store.data.AuthKey key, io.confluent.security.auth.store.data.AuthValue value)
      Specified by:
      put in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey, io.confluent.security.auth.store.data.AuthValue>

    • remove

      public io.confluent.security.auth.store.data.AuthValue remove(io.confluent.security.auth.store.data.AuthKey key)
      Specified by:
      remove in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey, io.confluent.security.auth.store.data.AuthValue>

    • map

      public Map<? extends io.confluent.security.auth.store.data.AuthKey, ? extends io.confluent.security.auth.store.data.AuthValue> map(String type)
      Specified by:
      map in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey, io.confluent.security.auth.store.data.AuthValue>

    • fail

      public void fail(int partition, String errorMessage)
      Specified by:
      fail in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey, io.confluent.security.auth.store.data.AuthValue>

    • status

      public io.confluent.security.store.MetadataStoreStatus status(int partition)
      Specified by:
      status in interface io.confluent.security.store.KeyValueStore<io.confluent.security.auth.store.data.AuthKey, io.confluent.security.auth.store.data.AuthValue>

    • findIdentityPools

      public Collection<io.confluent.security.trustservice.store.data.IdentityPool> findIdentityPools(String providerId)
      Specified by:
      findIdentityPools in interface io.confluent.security.trustservice.store.TrustCache

    • findIdentityProviderIds

      public Collection<String> findIdentityProviderIds(String organizationId)
      Specified by:
      findIdentityProviderIds in interface io.confluent.security.trustservice.store.TrustCache

    • identityProvider

      public io.confluent.security.trustservice.store.data.IdentityProvider identityProvider(String providerId)
      Specified by:
      identityProvider in interface io.confluent.security.trustservice.store.TrustCache

    • findCertIdentityProviders

      public Collection<io.confluent.security.auth.store.data.CaCertificatesKey> findCertIdentityProviders(Certificate[] certificates, String organizationId)
      Specified by:
      findCertIdentityProviders in interface io.confluent.security.auth.metadata.AuthCache

    • findCertIdentityPools

      public Collection<io.confluent.security.auth.mtls.CertIdentityPool> findCertIdentityPools(X509Certificate cert, String orgId, String providerId)
      Specified by:
      findCertIdentityPools in interface io.confluent.security.auth.metadata.AuthCache

    • findCertIdentityPools

      public Collection<io.confluent.security.auth.mtls.CertIdentityPool> findCertIdentityPools(Map<String,String> parsedCertMetadata, String orgId, String providerId)
      Specified by:
      findCertIdentityPools in interface io.confluent.security.auth.metadata.AuthCache

    • isRevoked

      public boolean isRevoked(X509Certificate certificate, String organizationId, String providerId)
      Specified by:
      isRevoked in interface io.confluent.security.auth.metadata.AuthCache

    • isRevoked

      public boolean isRevoked(Certificate[] certificates, String organizationId, String providerId)
      Specified by:
      isRevoked in interface io.confluent.security.auth.metadata.AuthCache

    • isCompleteCertChain

      public boolean isCompleteCertChain(Certificate[] certChain, String organizationId)
      Specified by:
      isCompleteCertChain in interface io.confluent.security.auth.metadata.AuthCache

    • getCertChain

      public Certificate[] getCertChain(Certificate[] partialChain, String organizationId)
      Specified by:
      getCertChain in interface io.confluent.security.auth.metadata.AuthCache

    • totalRoleBindings

      public int totalRoleBindings()

    • totalRbacAccessRules

      public long totalRbacAccessRules()

    • totalAclAccessRules

      public long totalAclAccessRules()

    • totalJwtIssuers

      public int totalJwtIssuers()

    • totalIdentityPools

      public long totalIdentityPools()

    • totalRefreshTokenInfos

      public long totalRefreshTokenInfos()

    • caCertificatesCount

      public int caCertificatesCount()

    • certIdentityPoolsCount

      public int certIdentityPoolsCount()

    • setMTlsTruststoreManager

      public void setMTlsTruststoreManager(org.apache.kafka.common.security.mtls.MTlsTruststoreManager mTlsTruststoreManager)

    • setCrlVerificationDisabled

      public void setCrlVerificationDisabled(boolean crlVerificationDisabled)

    • setMTlsConnectionManager

      public void setMTlsConnectionManager(org.apache.kafka.common.security.mtls.MTlsConnectionManager mTlsConnectionManager)

    • getOrgToCaCertMapping

      public Map<String, Map<String, Set<Certificate>>> getOrgToCaCertMapping()
      Specified by:
      getOrgToCaCertMapping in interface io.confluent.security.auth.metadata.AuthCache