public interface AccessRuleProvider extends Provider
Modifier and Type | Method and Description |
---|---|
void |
addMatchingRules(ResourceAuthorizeRules matchingRules,
org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
String host,
Operation operation,
io.confluent.security.authorizer.Scope resourceScope,
ResourceType resourceType)
Adds all rules for the provided principals that match the specified parameters.
|
default Optional<org.apache.kafka.server.authorizer.Authorizer> |
asAuthorizer() |
AuthorizeRule |
findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
String host,
Action action)
Returns the first matching access rule for the user and group principals that match the provided
resource.
|
boolean |
isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal,
io.confluent.security.authorizer.Scope scope)
Returns true if the provided principal is a super user.
|
boolean |
mayDeny()
Returns true if this provider supports DENY rules.
|
providerName, start, usesMetadataFromThisKafkaCluster
boolean isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, io.confluent.security.authorizer.Scope scope)
principal
- User principal from the Session or the group principal of a group that
the user belongs to.scope
- Scope of resource being accessAuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, Action action)
sessionPrincipal
- User principal from the SessiongroupPrincipals
- List of group principals of the user, which may be emptyhost
- Client IP addressaction
- Action being authorizedvoid addMatchingRules(ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, Operation operation, io.confluent.security.authorizer.Scope resourceScope, ResourceType resourceType)
matchingRules
- Map of rules to return resultsessionPrincipal
- User principal from the SessiongroupPrincipals
- List of group principals of the user, which may be emptyhost
- Client IP addressoperation
- Operation being authorizedresourceScope
- Scope of resource being authorized. Only resources from this scope are returned.
Nested scopes are not supported.resourceType
- Type of resourceboolean mayDeny()
default Optional<org.apache.kafka.server.authorizer.Authorizer> asAuthorizer()