...
The corresponding resource description or result classes returned by AdminClient will be extended to provide an optional set of authorized operations. The bits set in the new INT32 field in the response will be used to generate a set of AclOperation
entries, where each operation code is derived from the position of the bit field. When new operations are added, older clients will ignore any authorized operations returned by the broker that is not supported by the client. The returned AclOperation
set will never contain AclOperation.ANY,
AclOperation.ALL
or AclOperation.UNKNOWN
.
Example: ConsumerGroupDescription
...
A new method will be added to the kafka.security.auth.Authorizer
interface to obtain the collection of authorized operations associated with a resource. Default implementation of this method will use the existing `authorize()
` API to check every supported operation on the resource. This ensures that custom authorizers will continue to work without change. The built-in authorizer implementation SimpleAclAuthorizer
will include a more performant implementation that traverses ACLs once to retrieve all the authorized operations for the user. All permitted operations on the resource including any that are implicitly allowed by ACLs will be included in the returned set. For example, if a Read
ACL is found, both Read
and Describe
will be included since both are permitted. If an ACL is found for all operations (AclOperation.ALL
) on a resource, broker will explicitly list all supported operations of the resource, so that clients always receive the full set of actual permitted operations.
Code Block | ||||
---|---|---|---|---|
| ||||
trait Authorizer extends Configurable { def authorizedOperations(session: Session, resource: Resource): Set[Operation] = { // Use authorize() to obtain permitted operations for the `session` on `resource` } .... } |
...