...
The version of the relevant requests will be bumped up. Authorized operations will be returned as INT8 consistent with AclOperation used in ACL requests and responses.
Metadata Request and Response: v8
Code Block | ||||
---|---|---|---|---|
| ||||
Metadata Request => [topics] allow_auto_topic_creation include_cluster_authorized_operations include_topic_authorized_operations <== ADDED include_cluster_authorized_operations, include_topic_authorized_operations topics => STRING allow_auto_topic_creation => BOOLEAN include_cluster_authorized_operations => BOOLEAN <== NEW include_topic_authorized_operations => BOOLEAN <== NEW Metadata Response => throttle_time_ms [brokers] cluster_id controller_id [topic_metadata] [authorized_operations] <== ADDED authorized_operations throttle_time_ms => INT32 brokers => node_id host port rack node_id => INT32 host => STRING port => INT32 rack => NULLABLE_STRING cluster_id => NULLABLE_STRING controller_id => INT32 topic_metadata => error_code topic is_internal [partition_metadata] [authorized_operations] <== ADDED authorized_operations error_code => INT16 topic => STRING is_internal => BOOLEAN partition_metadata => error_code partition leader leader_epoch [replicas] [isr] [offline_replicas] error_code => INT16 partition => INT32 leader => INT32 leader_epoch => INT32 replicas => INT32 isr => INT32 offline_replicas => INT32 authorized_operations => INT8 <== NEW |
DescribeGroups Request and Response v3
Code Block | ||||
---|---|---|---|---|
| ||||
DescribeGroups Request => [group_ids] include_authorized_operations <== ADDED include_authorized_operations group_ids => STRING include_authorized_operations => BOOLEAN <== NEW DescribeGroups Response => throttle_time_ms [groups] throttle_time_ms => INT32 groups => error_code group_id state protocol_type protocol [members] [authorized_operations] <== ADDED authorized_operations error_code => INT16 group_id => STRING state => STRING protocol_type => STRING protocol => STRING members => member_id client_id client_host member_metadata member_assignment member_id => STRING client_id => STRING client_host => STRING member_metadata => BYTES member_assignment => BYTES authorized_operations => INT8 <== NEW |
...
All relevant DescribeXxxOptions
classes will include a new field and corresponding accessor accessors to request authorized operations. By default the option is disabled. The classes affected are:
DescribeClusterOptions
: This is a metadata request. Operations returned will be a subset of{Describe, Alter, DescribeConfigs, AlterConfigs}
DescribeTopicsOptions
: Also a metadata request, . Operations returned will be a subset of{Create, Delete, Read, Write, Describe, Alter, DescribeConfigs
, AlterConfigs
}DescribeConsumerGroupsOptions
: Operations returned will be a subset of{Describe, Read, Delete}
...
The corresponding resource description or result classes returned by AdminClient will be extended to provide an optional set of authorized operations.
...
Code Block | ||||
---|---|---|---|---|
| ||||
public class ConsumerGroupDescription { private Set<AclOperation> authorizedOperations; /** Retain existing code here */ public Set<AclOperation> authorizedOperations() { if (authorizedOperations.isEmpty()) throw new IllegalArgumentException("Authorized operations were not obtainedprovided fromby the broker"); return authorizedOperations; } } |
...
A new method will be added to the kafka.security.auth.Authorizer
interface to obtain the collection of authorized operations associated with a resource. Default implementation of this method will use the existing `authorize()
` API to check every supported operation on the resource. This ensures that custom authorizers will continue to work without change. The built-in authorizer implementation SimpleAclAuthorizer
will include a more performant implementation that traverses ACLs once to retrieve all the authorized operations for the user.
...
As described above, Kafka protocol for requests and responses to describe broker resources will be extended to request authorized resources operations and return the set of authorized resources operations if requested. Broker will use the its pluggable Authorizer
to obtain the set of permitted operations for the Session
performing the Describe
operation. SimpleAclAuthorizer
will be updated to traverse through ACLs once and return all the matching operations. Custom authorizers may be extended to do the same, but a default implementation that uses the existing `authorize` `authorize()
` method to authorize every supported operation ensures that existing authorizers can be used without change.
Broker will check Describe
access on the resources before returning any metadata, so only users authorized for Describe
may obtain the additional information provided by this KIP. Users without Describe
access continue to get errors that dont leak information about the existence of resources.
...