THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Kafka authorizer is agnostic of principal types it supports, so are the acls CRUD methods in Authorizer interface. The intent behind is to keep Kafka principal types pluggable, which is really great. However, this leads to Acls CRUD methods not performing any check on validity of acls, as they are not aware of what principal types Authorizer implementation supports. This opens up space for lots of user errors, KAFKA-3097 is an instance.
Public Interfaces
...
Move Authorizer interfaces
...
and related classes to
...
common module.
Following interface and classes will be moved to org.apache.kafka.common.security.auth.
AuthorizerAclOperationPermissionTypeResourceResourceTypeKafkaPrincipalSession
Add
...
method to get authorizer implementation specific description to Authorizer interface.
| Code Block |
|---|
/** * description of authorizer implementation, like, valid principal types. * @return description of authorizer implementation. */ public String description() |
Add
...
exceptions related to Authorizer.
Following exceptions will be added to org.apache.kafka.common.errors.
InvalidAclException
| Code Block |
|---|
/**
* Throw when an invalid Acl is being added or removed.
*/
public class InvalidAclException extends ApiException {
private static final long serialVersionUID = 1L;
public InvalidAclException(String message) {
super(message);
}
public InvalidAclException(String message, Throwable cause) {
super(message, cause);
}
} |
...
The KIP proposes to move authorizer interface and all related classes, i.e., Acl, Operation, PermissionType, Resource, ResourceType, KafkaPrincipal and Session, to a separate package, org.apache.kafka.authorizer, that third.common.security.auth. Third-party authorizer implementations , and core and clients packages can can depend on clients module to access Authorizer interface and related classes. Only change made to default authorizer, SimpleAclAuthorizer, will be the interface it extends.
Authorizer interface will be updated to remove getter naming convention and expected exceptions will be added.
description() will be added to Authorizer interface. Each authorizer implementation can override this method to provide info on implementation specific aspects of authorizer, for instance, Principal Types it supports. The description will be provided by kafka-acls.sh CLI when --help is specified. The KIP suggests that acls should be validated in authorizer implementations.
...