Versions Compared

Old Version 11

changes.mady.by.user Ashish Singh

Saved on

compared with

New Version 12

changes.mady.by.user Ashish Singh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Add following public methods to Authorizer interface.

Code Block
/**
* description of authorizer implementation, like, valid principal types.
* @return description of authorizer implementation.
*/
public String description()

Update Authorizer interface to get rid of getter naming convention.

Code Block
public interface Authorizer extends Configurable {

    /**
     * @param session   The session being authenticated.
     * @param operation Type of operation client is trying to perform on resource.
     * @param resource  Resource the client is trying to access.
     * @return
     */
    public boolean authorize(Session session, Operation operation, Resource resource);

    /**
     * implementation specific description, like, supported principal types.
     *
     * @return implementation specific description.
     */
    public String description();

    /**
     * add the acls to resource, this is an additive operation so existing acls will not be overwritten, instead these new
     * acls will be added to existing acls.
     *
     * @param acls     set of acls to add to existing acls
     * @param resource the resource to which these acls should be attached.
     */
    public void addAcls(Set<Acl> acls, Resource resource);

    /**
     * remove these acls from the resource.
     *
     * @param acls     set of acls to be removed.
     * @param resource resource from which the acls should be removed.
     * @return true if some acl got removed, false if no acl was removed.
     */
    public boolean removeAcls(Set<Acl> acls, Resource resource);

    /**
     * remove a resource along with all of its acls from acl store.
     *
     * @param resource
     * @return
     */
    public boolean removeAcls(Resource resource);

    /**
     * get set of acls for this resource
     *
     * @param resource
     * @return empty set if no acls are found, otherwise the acls for the resource.
     */
    public Set<Acl> acls(Resource resource);

    /**
     * get the acls for this principal.
     *
     * @param principal
     * @return empty Map if no acls exist for this principal, otherwise a map of resource -> acls for the principal.
     */
    public Map<Resource, Set<Acl>> acls(KafkaPrincipal principal);

    /**
     * gets the map of resource to acls for all resources.
     */
    public Map<Resource, Set<Acl>> acls();

    /**
     * Closes this instance.
     */
    public void close();

}

 

Proposed Changes

The KIP proposes to move authorizer interface and all related classes, i.e., Acl, Operation, PermissionType, Resource, ResourceType, KafkaPrincipal and ResourceTypeSession, to a separate package, org.apache.kafka.authorizer, that third-party authorizer implementations,  core and clients packages can depend on. Only change made to default authorizer, SimpleAclAuthorizer, will be the interface it extends.

Authorizer interface will be updated to remove getter naming convention. 

description() will be added to Authorizer interface. Each authorizer implementation can override this method to provide info on implementation specific aspects of authorizer, for instance, Principal Types it supports. The description will be provided by kafka-acls.sh CLI when --help is specified. The KIP suggests that acls should be validated in authorizer implementations.

...