io.confluent.security.authorizer.provider

Interface AccessRuleProvider

All Superinterfaces:

AutoCloseable, Closeable, org.apache.kafka.common.Configurable, Provider

public interface AccessRuleProvider
extends Provider

Interface used by providers of access rules used for authorization. Access rules may be derived from ACLs, RBAC policies etc.

Method Summary

Modifier and Type	Method and Description
void	addMatchingRules(ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, Operation operation, Scope resourceScope, ResourceType resourceType) Adds all rules for the provided principals that match the specified parameters.
AuthorizeRule	findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, Action action) Returns the first matching access rule for the user and group principals that match the provided resource.
boolean	isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, Scope scope) Returns true if the provided principal is a super user.
boolean	mayDeny() Returns true if this provider supports DENY rules.

Methods inherited from interface io.confluent.security.authorizer.provider.Provider

providerName, start, usesMetadataFromThisKafkaCluster

Methods inherited from interface org.apache.kafka.common.Configurable

configure

Methods inherited from interface java.io.Closeable

close

Method Detail

isSuperUser

boolean isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal,
                    Scope scope)

Returns true if the provided principal is a super user. All operations are authorized for super-users without checking any access rules.

Parameters:

principal - User principal from the Session or the group principal of a group that the user belongs to.

scope - Scope of resource being access

Returns:

true if super-user or super-group

findRule

AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
                       Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                       String host,
                       Action action)

Returns the first matching access rule for the user and group principals that match the provided resource. If a DENY rule is found for the user or group, the DENY rule is returned. Otherwise one of the matching ALLOW rules is returned.

Parameters:

sessionPrincipal - User principal from the Session

groupPrincipals - List of group principals of the user, which may be empty

host - Client IP address

action - Action being authorized

Returns:

Matching rule that includes any deny or allow rule and a boolean that indicates if there are no rules match the resource.

addMatchingRules

void addMatchingRules(ResourceAuthorizeRules matchingRules,
                      org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
                      Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                      String host,
                      Operation operation,
                      Scope resourceScope,
                      ResourceType resourceType)

Adds all rules for the provided principals that match the specified parameters. One rule per resource name of each type is added to matchingRules. This is used for authorization by resource type where an operation is authorized if it is allowed for at least one resource name.

Parameters:

matchingRules - Map of rules to return result

sessionPrincipal - User principal from the Session

groupPrincipals - List of group principals of the user, which may be empty

host - Client IP address

operation - Operation being authorized

resourceScope - Scope of resource being authorized. Only resources from this scope are returned. Nested scopes are not supported.

resourceType - Type of resource

mayDeny

boolean mayDeny()

Returns true if this provider supports DENY rules. If false, this provider's rules are not retrieved if an ALLOW rule was found on another provider.

Returns:

Boolean indicating if the provider supports DENY rules.