Class TenantAclProvider

java.lang.Object
io.confluent.kafka.multitenant.authorizer.TenantAclProvider
All Implemented Interfaces:
io.confluent.security.authorizer.provider.AccessRuleProvider, io.confluent.security.authorizer.provider.Provider, Closeable, AutoCloseable, org.apache.kafka.common.Configurable, org.apache.kafka.common.Reconfigurable
public class TenantAclProvider extends Object implements io.confluent.security.authorizer.provider.AccessRuleProvider, org.apache.kafka.common.Reconfigurable
Multi-tenant authorizer that supports:
  • ACLs with TenantUser:clusterId_userId as principal
  • ACLs with TenantUser*:clusterId_ as wildcard prefixed principal
  • ACLs with User:* as wildcard principal (e.g. for brokers or users on other listeners)
  • Resource patterns with literal resource names clusterId_resourceName
  • Resource patterns with prefixed resource names clusterId_resourcePrefix
  • Resource patterns with tenant wildcard resource names using prefixed name clusterId_
  • Resource patterns with literal wildcard resource name "*" (e.g. for broker ACLs)
  • Super users configured using the configuration option `super.users` (e.g. for broker principals)
  • Tenant super users with access to all tenant resources using tenant principals with
    invalid reference 
    io.confluent.kafka.multitenant.TenantMetadata#isSuperUser
    enabled.
Use of tenant prefix:
  • Clients configure ACLs for User:userId
  • Multi-tenant interceptor transforms User:userId to TenantUser:clusterId_userId
  • ACLs are stored internally in ZooKeeper for TenantUser:clusterId_userId
  • When tenants describe ACLs, prefix is removed from response by the interceptor
  • Multi-tenant principal builder generates tenant principal TenantUser:clusterId_userId
  • Authorizer matches TenantUser principals in ACLs obtained from ZooKeeper against TenantUser session principal generated by the principal builder.
  • Non-tenant principals (e.g broker principals) are of the form User:userId in ACLs as well as session principals
Assumptions:
  • All tenant ACLs have principals and resource names with tenant prefix
  • All non-tenant (e.g. broker) ACLs have principals and resource names that do not contain prefix of any tenant in the cluster
  • Tenant principals have type TenantUser, others have type User

  • Constructor Details

    • TenantAclProvider

      public TenantAclProvider()

  • Method Details

    • configure

      public void configure(Map<String,?> configs)
      Specified by:
      configure in interface org.apache.kafka.common.Configurable

    • reconfigurableConfigs

      public Set<String> reconfigurableConfigs()
      Specified by:
      reconfigurableConfigs in interface org.apache.kafka.common.Reconfigurable

    • validateReconfiguration

      public void validateReconfiguration(Map<String,?> configs) throws org.apache.kafka.common.config.ConfigException
      Specified by:
      validateReconfiguration in interface org.apache.kafka.common.Reconfigurable
      Throws:
      org.apache.kafka.common.config.ConfigException

    • reconfigure

      public void reconfigure(Map<String,?> configs)
      Specified by:
      reconfigure in interface org.apache.kafka.common.Reconfigurable

    • start

      public CompletionStage<Void> start(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo)
      Specified by:
      start in interface io.confluent.security.authorizer.provider.Provider

    • providerName

      public String providerName()
      Specified by:
      providerName in interface io.confluent.security.authorizer.provider.Provider

    • isSuperUser

      public boolean isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, io.confluent.security.authorizer.Scope scope)
      Specified by:
      isSuperUser in interface io.confluent.security.authorizer.provider.AccessRuleProvider

    • findRule

      public io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)
      Specified by:
      findRule in interface io.confluent.security.authorizer.provider.AccessRuleProvider

    • addMatchingRules

      public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.roledefinitions.Operation operation, io.confluent.security.authorizer.Scope resourceScope, io.confluent.security.roledefinitions.ResourceType resourceType)
      Specified by:
      addMatchingRules in interface io.confluent.security.authorizer.provider.AccessRuleProvider

    • mayDeny

      public boolean mayDeny()
      Specified by:
      mayDeny in interface io.confluent.security.authorizer.provider.AccessRuleProvider

    • usesMetadataFromThisKafkaCluster

      public boolean usesMetadataFromThisKafkaCluster()
      Specified by:
      usesMetadataFromThisKafkaCluster in interface io.confluent.security.authorizer.provider.Provider

    • asAuthorizer

      public Optional<org.apache.kafka.server.authorizer.Authorizer> asAuthorizer()
      Specified by:
      asAuthorizer in interface io.confluent.security.authorizer.provider.AccessRuleProvider

    • close

      public void close() throws IOException
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
      Throws:
      IOException