Interface AccessRuleProvider

All Superinterfaces:
AutoCloseable, Closeable, org.apache.kafka.common.Configurable, Provider
public interface AccessRuleProvider extends Provider
Interface used by providers of access rules used for authorization. Access rules may be derived from ACLs, RBAC policies etc.

  • Method Summary

    Modifier and Type
    Method
    Description
    void
    addMatchingRules(ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope resourceScope, io.confluent.security.roledefinitions.ResourceType resourceType)
    Adds all rules for the provided principals that match the specified parameters.
    default Optional<org.apache.kafka.server.authorizer.Authorizer>
    asAuthorizer()
     
    AuthorizeRule
    findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, Action action)
    Returns the first matching access rule for the user and group principals that match the provided resource.
    boolean
    isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, io.confluent.security.authorizer.Scope scope)
    Returns true if the provided principal is a super user.
    boolean
    mayDeny()
    Returns true if this provider supports DENY rules.

    Methods inherited from interface java.io.Closeable

    close

    Methods inherited from interface org.apache.kafka.common.Configurable

    configure

    Methods inherited from interface io.confluent.security.authorizer.provider.Provider

    providerName, start, usesMetadataFromThisKafkaCluster

  • Method Details

    • isSuperUser

      boolean isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, io.confluent.security.authorizer.Scope scope)
      Returns true if the provided principal is a super user. All operations are authorized for super-users without checking any access rules.
      Parameters:
      principal - User principal from the Session or the group principal of a group that the user belongs to.
      scope - Scope of resource being access
      Returns:
      true if super-user or super-group

    • findRule

      AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, Action action)
      Returns the first matching access rule for the user and group principals that match the provided resource. If a DENY rule is found for the user or group, the DENY rule is returned. Otherwise one of the matching ALLOW rules is returned.
      Parameters:
      sessionPrincipal - User principal from the Session
      groupPrincipals - List of group principals of the user, which may be empty
      host - Client IP address
      action - Action being authorized
      Returns:
      Matching rule that includes any deny or allow rule and a boolean that indicates if there are no rules match the resource.

    • addMatchingRules

      void addMatchingRules(ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope resourceScope, io.confluent.security.roledefinitions.ResourceType resourceType)
      Adds all rules for the provided principals that match the specified parameters. One rule per resource name of each type is added to matchingRules. This is used for authorization by resource type where an operation is authorized if it is allowed for at least one resource name.
      Parameters:
      matchingRules - Map of rules to return result
      sessionPrincipal - User principal from the Session
      groupPrincipals - List of group principals of the user, which may be empty
      host - Client IP address
      operation - Operation being authorized
      resourceScope - Scope of resource being authorized. Only resources from this scope are returned. Nested scopes are not supported.
      resourceType - Type of resource

    • mayDeny

      boolean mayDeny()
      Returns true if this provider supports DENY rules. If false, this provider's rules are not retrieved if an ALLOW rule was found on another provider.
      Returns:
      Boolean indicating if the provider supports DENY rules.

    • asAuthorizer

      default Optional<org.apache.kafka.server.authorizer.Authorizer> asAuthorizer()