When implementing a custom authorizerAuthorizer, one has to map authorization requests coming from Kafka to a custom different backend system.
The following table lists all the authorization combinations that can come from Kafka :
...
as of 2.0:
| Topic | Group | Cluster (singleton) | TransactionalId | DelegationToken |
|
|---|
| Produce | Write |
| | |
|
|
|
|
|
| Produce (Idempotent) | Write |
|
|
|
|
| Produce (Transactional) | Write |
| | | | | | | | | | | | | | | | | | |
|
|
|
| UpdateMetadata |
|
| ClusterAction |
UpdateMetadata ClusterAction | | ControlledShutdown | | | ClusterAction | | |
| OffsetCommit | Read | Read | | | |
| OffsetFetch | Describe | Describe | | | |
| FindCoordinator (Group) | | Describe | | | |
| FindCoordinator (Transaction) | | | | Describe | |
| JoinGroup | | Read | | | |
| Heartbeat | | Read | | | |
| LeaveGroup | | Read | | | |
| SyncGroup | | Read | | | |
| DescribeGroups | | Describe | | | |
| ListGroups | | | Describe | | |
| SaslHandshake | | | | | |
| ApiVersions | | | | | |
| CreateTopics | | | Create | | |
| DeleteTopics | Delete | | | | |
| DeleteRecords | Delete | | | | |
| InitProducerId (Idempotent) | | | IdempotentWrite | | |
| InitProducerId (Transaction) | | | | Write | |
| OffsetsForLeaderEpoch | | | ClusterAction | | |
| AddPartitionsToTxn | Write | | | Write | |
| AddOffsetsToTxn | | Read | | Write | |
| EndTxn | | | | Write | |
| WriteTxnMarkers | | | ClusterAction | | |
| TxnOffsetCommit | Read | Read | | Write | |
| DescribeAcls | | | Describe | | |
| CreateAcls | | | Alter | | |
| DeleteAcls | | | Alter | | |
| DescribeConfigs (Broker) | | | DescribeConfigs | | |
| DescribeConfigs (Topic) | DescribeConfigs | | | | |
AlterConfigs (Broker) | | | AlterConfigs | | | Describe |
|
|
|
|
| FindCoordinator (Group) |
| Describe |
|
|
|
|
| FindCoordinator (Transaction) |
|
|
| Describe |
|
|
| JoinGroup |
| Read |
|
|
|
|
| Heartbeat |
| Read |
|
|
|
|
| LeaveGroup |
| Read |
|
|
|
|
| SyncGroup |
| Read |
|
|
|
|
| DescribeGroups |
| Describe |
|
|
|
|
| ListGroups |
|
| Describe |
|
|
|
| SaslHandshake |
|
|
|
|
|
|
| ApiVersions |
|
|
|
|
|
|
| CreateTopics | Create (Added in 2.0) |
| Create |
|
| From 2.0 onwards, CREATE permission on Topic OR CREATE permission on Cluster is required. |
| DeleteTopics | Delete |
|
|
|
|
|
| DeleteRecords | Delete |
|
|
|
|
|
| InitProducerId (Idempotent) |
|
| IdempotentWrite |
|
|
|
| InitProducerId (Transaction) |
|
|
| Write |
|
|
| OffsetsForLeaderEpoch |
|
| ClusterAction |
|
|
|
| AddPartitionsToTxn | Write |
|
| Write |
|
|
| AddOffsetsToTxn |
| Read |
| Write |
|
|
| EndTxn |
|
|
| Write |
|
|
| WriteTxnMarkers |
|
| ClusterAction |
|
|
|
| TxnOffsetCommit | Read | Read |
| Write |
|
|
| DescribeAcls |
|
| Describe |
|
|
|
| CreateAcls |
|
| Alter |
|
|
|
| DeleteAcls |
|
| Alter |
|
|
|
| DescribeConfigs (Broker) |
|
| DescribeConfigs |
|
|
|
| DescribeConfigs (Topic) | DescribeConfigs |
|
|
|
|
|
AlterConfigs (Broker) |
|
| AlterConfigs |
|
|
|
| AlterConfigs (Topic) | AlterConfigs |
|
|
|
|
|
| AlterReplicaLogDirs |
|
| Alter |
|
|
|
| DescribeLogDirs |
|
| Describe |
|
|
|
| SaslAuthenticate |
|
|
|
|
|
|
| CreatePartitions | Alter |
|
|
|
|
|
| CreateDeletegationToken |
|
|
|
|
|
|
| RenewDelegationToken |
|
|
|
|
|
|
| ExpireDelegationToken |
|
|
|
|
|
|
| DescribeDelegationTokens |
|
|
|
| Describe |
|
| DeleteGroups |
| Delete |
|
|
|
|
The following table lists all the authorization combinations that can come from Kafka as of 1.1.0:
| Topic | Group | Cluster (singleton) | TransactionalId | DelegationToken |
|---|
| Produce | Write |
|
|
|
|
| Produce (Idempotent) | Write |
| IdempotentWrite |
|
|
| Produce (Transactional) | Write |
|
| Write |
|
Fetch (Follower) | Read |
| ClusterAction |
|
|
| Fetch (Consumer) | Read |
|
|
|
|
| ListOffsets | Describe |
|
|
|
|
| Metadata | Describe |
|
|
|
|
| LeaderAndIsr |
|
| ClusterAction |
|
|
| StopReplica |
|
| ClusterAction |
|
|
| UpdateMetadata |
|
| ClusterAction |
|
|
| ControlledShutdown |
|
| ClusterAction |
|
|
| OffsetCommit | Read | Read |
|
|
|
| OffsetFetch | Describe | Describe |
|
|
|
| FindCoordinator (Group) |
| Describe |
|
|
|
| FindCoordinator (Transaction) |
|
|
| Describe |
|
| JoinGroup |
| Read |
|
|
|
| Heartbeat |
| Read |
|
|
|
| LeaveGroup |
| Read |
|
|
|
| SyncGroup |
| Read |
|
|
|
| DescribeGroups |
| Describe |
|
|
|
| ListGroups |
|
| Describe |
|
|
| SaslHandshake |
|
|
|
|
|
| ApiVersions |
|
|
|
|
|
| CreateTopics |
|
| Create |
|
|
| DeleteTopics | Delete |
|
|
|
|
| DeleteRecords | Delete |
|
|
|
|
| InitProducerId (Idempotent) |
|
| IdempotentWrite |
|
|
| InitProducerId (Transaction) |
|
|
| Write |
|
| OffsetsForLeaderEpoch |
|
| ClusterAction |
|
|
| AddPartitionsToTxn | Write |
|
| Write |
|
| AddOffsetsToTxn |
| Read |
| Write |
|
| EndTxn |
|
|
| Write |
|
| WriteTxnMarkers |
|
| ClusterAction |
|
|
| TxnOffsetCommit | Read | Read |
| Write |
|
| DescribeAcls |
|
| Describe |
|
|
| CreateAcls |
|
| Alter |
|
|
| DeleteAcls |
|
| Alter |
|
|
| DescribeConfigs (Broker) |
|
| DescribeConfigs |
|
|
| DescribeConfigs (Topic) | DescribeConfigs |
|
|
|
|
AlterConfigs (Broker) |
|
| AlterConfigs |
|
|
| AlterConfigs (Topic) | AlterConfigs |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |