...
Code Block | ||||
---|---|---|---|---|
| ||||
trait Authorizer extends Configurable { def authorizedOperations(session: Session, resource: Resource): Set[Operation] = { // Use authorize() to obtain permitted operations for the `session` on `resource` } .... } |
ResourceType API Changes
A new method will be added to the kafka.security.auth.ResourceType trait to obtain the supported operations associated with a resource type. This will be used to maintain supported operations for a resourceType.
This can be used by custom authorizers to determine authorized operations.
Code Block | ||||
---|---|---|---|---|
| ||||
Sealed trait ResourceType extends BaseEnum with Ordered[ ResourceType ] {
.....
// this method output will not include "All" Operation type
def supportedOperations: Set[Operation]
}
case object Topic extends ResourceType {
...
val supportedOperations = Set(Read, Write, Create, Describe, Delete, Alter, DescribeConfigs, AlterConfigs)
}
case object Group extends ResourceType {
...
val supportedOperations = Set(Read, Describe, Delete)
}
case object Cluster extends ResourceType {
...
val supportedOperations = Set(Create, ClusterAction, DescribeConfigs, AlterConfigs, IdempotentWrite, Alter, Describe)
}
case object TransactionalId extends ResourceType {
...
val supportedOperations = Set(Describe, Write)
}
case object DelegationToken extends ResourceType {
...
val supportedOperations = Set(Describe)
} |
Proposed Changes
As described above, Kafka protocol for requests and responses to describe broker resources will be extended to request authorized operations and return the set of authorized operations if requested. Broker will use its pluggable Authorizer
to obtain the set of permitted operations for the Session
performing the Describe
operation. SimpleAclAuthorizer
will be updated to traverse through ACLs once and return all the matching operations. Custom authorizers may be extended to do the same, but a default implementation that uses the existing `authorize()
` method to authorize every supported operation ensures that existing authorizers can be used without change. If no authorizer is configured on the broker, the full set of supported operations on each resource will be returned.
...