Class MultiTenantAuthorizer

java.lang.Object
io.confluent.security.authorizer.EmbeddedAuthorizer
io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer
io.confluent.kafka.multitenant.authorizer.MultiTenantAuthorizer
All Implemented Interfaces:
io.confluent.security.authorizer.Authorizer, Closeable, AutoCloseable, org.apache.kafka.common.Configurable, org.apache.kafka.common.Reconfigurable, org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer, org.apache.kafka.server.authorizer.Authorizer, org.apache.kafka.server.authorizer.ProviderGetter
public class MultiTenantAuthorizer extends ConfluentServerAuthorizer

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static class 
    MultiTenantAuthorizer.TenantAuthorizerMetrics
     

    Nested classes/interfaces inherited from class io.confluent.security.authorizer.EmbeddedAuthorizer

    io.confluent.security.authorizer.EmbeddedAuthorizer.AuthorizerMetrics

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    static final String
    INTEGER_ID
     
    static final String
    MAX_ACLS_PER_TENANT_PROP
     
    static final String
    RESOURCE_ID
     

  • Constructor Summary

    Constructors
    Constructor
    Description
    MultiTenantAuthorizer()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    Iterable<org.apache.kafka.common.acl.AclBinding>
    acls(org.apache.kafka.common.acl.AclBindingFilter filter)
     
    Iterable<org.apache.kafka.common.acl.AclBinding>
    acls(org.apache.kafka.common.acl.AclBindingFilter filter, org.apache.kafka.common.acl.AclState aclState)
     
    void
    applyAclChanges(Map<org.apache.kafka.common.Uuid, Optional<org.apache.kafka.metadata.authorizer.ConfluentStandardAcl>> aclChanges)
     
    List<org.apache.kafka.server.authorizer.AuthorizationResult>
    authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.server.authorizer.Action> actions)
     
    io.confluent.security.authorizer.Action
    buildAction(org.apache.kafka.server.authorizer.Action kafkaAction, org.apache.kafka.common.resource.ResourcePattern resourcePattern, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, io.confluent.security.authorizer.Scope scope)
     
    Optional<org.apache.kafka.server.authorizer.AuthorizerConfig>
    config()
     
    void
    configure(Map<String,?> configs)
     
    void
    configureAccessRuleProviders(Map<String,Object> configs)
     
    void
    configureServerInfo(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo)
     
    List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>>
    createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings)
     
    List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>>
    createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings, Optional<String> clusterId)
     
    List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>>
    deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters)
     
    List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>>
    deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Optional<String> clusterId, org.apache.kafka.common.acl.AclState aclState)
     
    boolean
    isAuditLogEnabled()
     
    static boolean
    isSuperUser(io.confluent.kafka.multitenant.MultiTenantPrincipal tenantPrincipal, io.confluent.security.authorizer.Action action, boolean authorizationDisabled, boolean enableDataplaneRbacForPKC, boolean oauthSuperUserDisable)
     
    void
    loadAclSnapshot(Map<org.apache.kafka.common.Uuid, org.apache.kafka.metadata.authorizer.ConfluentStandardAcl> acls)
     
    Set<String>
    reconfigurableConfigs()
     
    void
    reconfigure(Map<String,?> configs)
     

    Methods inherited from class io.confluent.kafka.security.authorizer.ConfluentServerAuthorizer

    aclCount, aclMutatorOrException, authorizeByResourceType, completeInitialLoad, completeInitialLoad, setAclMutator, start, validateReconfiguration

    Methods inherited from class io.confluent.security.authorizer.EmbeddedAuthorizer

    accessRuleProvider, accessRuleProviders, auditLogProvider, authorize, clearAuthorizerProvidersMap, close, getRbacGroupProvider, groupProvider, metadataProvider, removeFromAuthorizerProvidersMap, start

    Methods inherited from class java.lang.Object

    equals, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    Methods inherited from interface io.confluent.security.authorizer.Authorizer

    authorize, authorize, authorize

    Methods inherited from interface org.apache.kafka.server.authorizer.Authorizer

    registerAclUpdateListener

    Methods inherited from interface java.io.Closeable

    close

    Methods inherited from interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    createAcls, createInactiveAcls, hardDeleteAcls, validateCreateAclState, validateDeleteAclState

  • Field Details

  • Constructor Details

    • MultiTenantAuthorizer

      public MultiTenantAuthorizer()

  • Method Details

    • configureAccessRuleProviders

      public void configureAccessRuleProviders(Map<String,Object> configs)

    • configureServerInfo

      public void configureServerInfo(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo)
      Overrides:
      configureServerInfo in class ConfluentServerAuthorizer

    • configure

      public void configure(Map<String,?> configs)
      Specified by:
      configure in interface org.apache.kafka.common.Configurable
      Overrides:
      configure in class ConfluentServerAuthorizer

    • reconfigurableConfigs

      public Set<String> reconfigurableConfigs()
      Specified by:
      reconfigurableConfigs in interface org.apache.kafka.common.Reconfigurable
      Overrides:
      reconfigurableConfigs in class ConfluentServerAuthorizer

    • reconfigure

      public void reconfigure(Map<String,?> configs)
      Specified by:
      reconfigure in interface org.apache.kafka.common.Reconfigurable
      Overrides:
      reconfigure in class ConfluentServerAuthorizer

    • authorize

      public List<org.apache.kafka.server.authorizer.AuthorizationResult> authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.server.authorizer.Action> actions)
      Specified by:
      authorize in interface org.apache.kafka.server.authorizer.Authorizer
      Overrides:
      authorize in class ConfluentServerAuthorizer

    • isSuperUser

      public static boolean isSuperUser(io.confluent.kafka.multitenant.MultiTenantPrincipal tenantPrincipal, io.confluent.security.authorizer.Action action, boolean authorizationDisabled, boolean enableDataplaneRbacForPKC, boolean oauthSuperUserDisable)

    • buildAction

      public io.confluent.security.authorizer.Action buildAction(org.apache.kafka.server.authorizer.Action kafkaAction, org.apache.kafka.common.resource.ResourcePattern resourcePattern, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, io.confluent.security.authorizer.Scope scope)
      Overrides:
      buildAction in class ConfluentServerAuthorizer

    • createAcls

      public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings)
      Specified by:
      createAcls in interface org.apache.kafka.server.authorizer.Authorizer
      Specified by:
      createAcls in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
      Overrides:
      createAcls in class ConfluentServerAuthorizer

    • createAcls

      public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings, Optional<String> clusterId)
      Specified by:
      createAcls in interface org.apache.kafka.server.authorizer.Authorizer
      Overrides:
      createAcls in class ConfluentServerAuthorizer

    • deleteAcls

      public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters, Optional<String> clusterId, org.apache.kafka.common.acl.AclState aclState)
      Specified by:
      deleteAcls in interface org.apache.kafka.server.authorizer.Authorizer
      Specified by:
      deleteAcls in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
      Overrides:
      deleteAcls in class ConfluentServerAuthorizer

    • deleteAcls

      public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters)
      Specified by:
      deleteAcls in interface org.apache.kafka.server.authorizer.Authorizer
      Specified by:
      deleteAcls in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
      Overrides:
      deleteAcls in class ConfluentServerAuthorizer

    • acls

      public Iterable<org.apache.kafka.common.acl.AclBinding> acls(org.apache.kafka.common.acl.AclBindingFilter filter)
      Specified by:
      acls in interface org.apache.kafka.server.authorizer.Authorizer
      Overrides:
      acls in class ConfluentServerAuthorizer

    • acls

      public Iterable<org.apache.kafka.common.acl.AclBinding> acls(org.apache.kafka.common.acl.AclBindingFilter filter, org.apache.kafka.common.acl.AclState aclState)
      Specified by:
      acls in interface org.apache.kafka.server.authorizer.Authorizer
      Overrides:
      acls in class ConfluentServerAuthorizer

    • config

      public Optional<org.apache.kafka.server.authorizer.AuthorizerConfig> config()

    • loadAclSnapshot

      public void loadAclSnapshot(Map<org.apache.kafka.common.Uuid, org.apache.kafka.metadata.authorizer.ConfluentStandardAcl> acls)
      Specified by:
      loadAclSnapshot in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
      Overrides:
      loadAclSnapshot in class ConfluentServerAuthorizer

    • applyAclChanges

      public void applyAclChanges(Map<org.apache.kafka.common.Uuid, Optional<org.apache.kafka.metadata.authorizer.ConfluentStandardAcl>> aclChanges)
      Specified by:
      applyAclChanges in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
      Overrides:
      applyAclChanges in class ConfluentServerAuthorizer

    • isAuditLogEnabled

      public boolean isAuditLogEnabled()