Versions Compared

Old Version 3

changes.mady.by.user Mayuresh Gharat

Saved on

compared with

New Version 4

changes.mady.by.user Mayuresh Gharat

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Status

Current state: Under Discussion

...

Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).

Motivation

Kafka allows users to plugin a custom PrincipalBuilder and a custom Authorizer by specifying the classpath of the corresponding classes in the config.

...

This issue can be addressed if Kafka stores the original Principal object when it processes the incoming request, before handing it over to the API threads. The Authorizer will then be able to access this Principal object and use it to verify the ACLs.

Public Interfaces

This KIP introduces a new constructor in the KafkaPrincipal class, that takes in an additional parameter of type Java Principal. It also introduces a new API in PrincipalBuilder, that would build a Java Principal from the passed in map of configs. kafka-acls.sh would take in 2 optional command line parameters specifying the PrincipalBuilder class name and the properties used to create the PrincpalBuilder.

Beyond the proposed new configuration key this KIP makes no changes to client or server public APIs.

Proposed Changes

  • Add a new field to KafkaPrincipal called "channelPrincipal" of type java.security.Principal

  • Add a new constructor to KafkaPrincipal that takes in an additional parameter of type java.security.Principal as follows :

    Code Block
    languagejava
    themeMidnight
    public class KafkaPrincipal implements Principal {
...
 
 private Principal channelPrincipal;
 
 // New Constructor
 public KafkaPrincipal(String principalType, String name, Principal channelPrincipal) {
 if (principalType == null || name == null) {
 throw new IllegalArgumentException("principalType and name can not be null");
 }
 this.principalType = principalType;
 this.name = name;
 this.channelPrincipal = channelPrincipal;
 }
 
 public KafkaPrincipal(String principalType, String name) {
 this(principalType, name, null);
 }
 
...
 
 public Principal getChannelPrincipal() {
 return this.channelPrincipal;
 }
}

  • The Authorizer can access this principal object as follows :

    Code Block
    languagejava
    themeMidnight
    public boolean authorize(RequestChannel.Session session, Operation operation, Resource resource) {
...
 
 KafkaPrincipal principal = session.principal();
 // User_Defined_Principal should implement java.security.Principal 
 User_Defined_Principal principal = (User_Defined_Principal) principal.getChannelPrincipal(); 
 
...
}

  • Changes to kafka-acls.sh

    • Kafka-acls.sh will allow to specify a custom PrincipalBuilder class using a new command line parameter "-- principalBuilder" and PrincipalBuilder configs using a new command line parameter "--principalBuilder-properties".

    • The "--allow-principal" will take list of properties as follows :

      Code Block
      languagejava
      themeMidnight
      bin/kafka-acls.sh ...... --principalBuilder <PrincipalBuilder-class> --principalBuilder-properties <PrincipalBuilder-properties> --add --allow-principal <principal-properties> --allow-principal <principal-properties> ...... --operations Read,Write --topic Test-topic

    • Add a new API to PrincipalBuilder :

      Code Block
      languagejava
      themeMidnight
      public interface PrincipalBuilder extends Configurable {
...

  /**
   * Build a Principal using the provided configs.
   *
   * @param  principalConfigs  configs used to create the Principal
   * @return Principal
   */
  Principal buildPrincipal(Map<String, ?> principalConfigs);

...
}
    • The specified PrincipalBuilder class will be responsible for building the Principal using the <principal-properties>.
    • The Principal generated by this PrincipalBuilder can then be included in KafkaPrincipal using the new constructor specified above.

    • The "--principalBuilder" and "--principalBuilder-properties" parameters are optional. If its not specified, the Kafka-acls.sh would still work as it does today.

Compatibility, Deprecation, and Migration Plan

This KIP is a pure addition to existing functionality and does not include any backward incompatible changes.

Test Plan

- Unit tests to validate that new changes work as expected without affecting the existing behavior.

Rejected Alternatives

Kafka-acls.sh will allow to specify a custom PrincipalBuilder using a new command line parameter "-- principalBuilder" and PrincipalBuilder configs using a new command line parameter "--principalBuilder-properties". Users can use these to build their custom Principal (that implements Java Principal). Add a new API to PrincipalBuilder Interface :

...