When implementing a custom authorizerAuthorizer, one has to map authorization requests coming from Kafka to a custom different backend system.
The following table lists all the authorization combinations that can come from Kafka :
...
as of 2.0:
| Topic | Group | Cluster (singleton) | TransactionalId | DelegationToken |
|
---|
Produce | Write |
| | |
|
|
|
|
|
Produce (Idempotent) | Write |
|
|
|
|
Produce (Transactional) | Write |
| | | | | | | | | | | | | | | | | | |
|
|
|
UpdateMetadata |
|
| ClusterAction |
UpdateMetadata ClusterAction | ControlledShutdown | | | ClusterAction | | |
OffsetCommit | Read | Read | | | |
OffsetFetch | Describe | Describe | | | |
FindCoordinator (Group) | | Describe | | | |
FindCoordinator (Transaction) | | | | Describe | |
JoinGroup | | Read | | | |
Heartbeat | | Read | | | |
LeaveGroup | | Read | | | |
SyncGroup | | Read | | | |
DescribeGroups | | Describe | | | |
ListGroups | | | Describe | | |
SaslHandshake | | | | | |
ApiVersions | | | | | |
CreateTopics | | | Create | | |
DeleteTopics | Delete | | | | |
DeleteRecords | Delete | | | | |
InitProducerId (Idempotent) | | | IdempotentWrite | | |
InitProducerId (Transaction) | | | | Write | |
OffsetsForLeaderEpoch | | | ClusterAction | | |
AddPartitionsToTxn | Write | | | Write | |
AddOffsetsToTxn | | Read | | Write | |
EndTxn | | | | Write | |
WriteTxnMarkers | | | ClusterAction | | |
TxnOffsetCommit | Read | Read | | Write | |
DescribeAcls | | | Describe | | |
CreateAcls | | | Alter | | |
DeleteAcls | | | Alter | | |
DescribeConfigs (Broker) | | | DescribeConfigs | | |
DescribeConfigs (Topic) | DescribeConfigs | | | | |
AlterConfigs (Broker) | | | AlterConfigs | | Describe |
|
|
|
|
FindCoordinator (Group) |
| Describe |
|
|
|
|
FindCoordinator (Transaction) |
|
|
| Describe |
|
|
JoinGroup |
| Read |
|
|
|
|
Heartbeat |
| Read |
|
|
|
|
LeaveGroup |
| Read |
|
|
|
|
SyncGroup |
| Read |
|
|
|
|
DescribeGroups |
| Describe |
|
|
|
|
ListGroups |
|
| Describe |
|
|
|
SaslHandshake |
|
|
|
|
|
|
ApiVersions |
|
|
|
|
|
|
CreateTopics | Create (Added in 2.0) |
| Create |
|
| From 2.0 onwards, CREATE permission on Topic OR CREATE permission on Cluster is required. |
DeleteTopics | Delete |
|
|
|
|
|
DeleteRecords | Delete |
|
|
|
|
|
InitProducerId (Idempotent) |
|
| IdempotentWrite |
|
|
|
InitProducerId (Transaction) |
|
|
| Write |
|
|
OffsetsForLeaderEpoch |
|
| ClusterAction |
|
|
|
AddPartitionsToTxn | Write |
|
| Write |
|
|
AddOffsetsToTxn |
| Read |
| Write |
|
|
EndTxn |
|
|
| Write |
|
|
WriteTxnMarkers |
|
| ClusterAction |
|
|
|
TxnOffsetCommit | Read | Read |
| Write |
|
|
DescribeAcls |
|
| Describe |
|
|
|
CreateAcls |
|
| Alter |
|
|
|
DeleteAcls |
|
| Alter |
|
|
|
DescribeConfigs (Broker) |
|
| DescribeConfigs |
|
|
|
DescribeConfigs (Topic) | DescribeConfigs |
|
|
|
|
|
AlterConfigs (Broker) |
|
| AlterConfigs |
|
|
|
AlterConfigs (Topic) | AlterConfigs |
|
|
|
|
|
AlterReplicaLogDirs |
|
| Alter |
|
|
|
DescribeLogDirs |
|
| Describe |
|
|
|
SaslAuthenticate |
|
|
|
|
|
|
CreatePartitions | Alter |
|
|
|
|
|
CreateDeletegationToken |
|
|
|
|
|
|
RenewDelegationToken |
|
|
|
|
|
|
ExpireDelegationToken |
|
|
|
|
|
|
DescribeDelegationTokens |
|
|
|
| Describe |
|
DeleteGroups |
| Delete |
|
|
|
|
The following table lists all the authorization combinations that can come from Kafka as of 1.1.0:
| Topic | Group | Cluster (singleton) | TransactionalId | DelegationToken |
---|
Produce | Write |
|
|
|
|
Produce (Idempotent) | Write |
| IdempotentWrite |
|
|
Produce (Transactional) | Write |
|
| Write |
|
Fetch (Follower) | Read |
| ClusterAction |
|
|
Fetch (Consumer) | Read |
|
|
|
|
ListOffsets | Describe |
|
|
|
|
Metadata | Describe |
|
|
|
|
LeaderAndIsr |
|
| ClusterAction |
|
|
StopReplica |
|
| ClusterAction |
|
|
UpdateMetadata |
|
| ClusterAction |
|
|
ControlledShutdown |
|
| ClusterAction |
|
|
OffsetCommit | Read | Read |
|
|
|
OffsetFetch | Describe | Describe |
|
|
|
FindCoordinator (Group) |
| Describe |
|
|
|
FindCoordinator (Transaction) |
|
|
| Describe |
|
JoinGroup |
| Read |
|
|
|
Heartbeat |
| Read |
|
|
|
LeaveGroup |
| Read |
|
|
|
SyncGroup |
| Read |
|
|
|
DescribeGroups |
| Describe |
|
|
|
ListGroups |
|
| Describe |
|
|
SaslHandshake |
|
|
|
|
|
ApiVersions |
|
|
|
|
|
CreateTopics |
|
| Create |
|
|
DeleteTopics | Delete |
|
|
|
|
DeleteRecords | Delete |
|
|
|
|
InitProducerId (Idempotent) |
|
| IdempotentWrite |
|
|
InitProducerId (Transaction) |
|
|
| Write |
|
OffsetsForLeaderEpoch |
|
| ClusterAction |
|
|
AddPartitionsToTxn | Write |
|
| Write |
|
AddOffsetsToTxn |
| Read |
| Write |
|
EndTxn |
|
|
| Write |
|
WriteTxnMarkers |
|
| ClusterAction |
|
|
TxnOffsetCommit | Read | Read |
| Write |
|
DescribeAcls |
|
| Describe |
|
|
CreateAcls |
|
| Alter |
|
|
DeleteAcls |
|
| Alter |
|
|
DescribeConfigs (Broker) |
|
| DescribeConfigs |
|
|
DescribeConfigs (Topic) | DescribeConfigs |
|
|
|
|
AlterConfigs (Broker) |
|
| AlterConfigs |
|
|
AlterConfigs (Topic) | AlterConfigs |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |