TenantAclProvider (ce-broker-plugins 7.4.4-ce API)

java.lang.Object
- io.confluent.kafka.multitenant.authorizer.TenantAclProvider

All Implemented Interfaces:

io.confluent.security.authorizer.provider.AccessRuleProvider, io.confluent.security.authorizer.provider.Provider, Closeable, AutoCloseable, org.apache.kafka.common.Configurable, org.apache.kafka.common.Reconfigurable
```
public class TenantAclProvider
extends Object
implements io.confluent.security.authorizer.provider.AccessRuleProvider, org.apache.kafka.common.Reconfigurable
```
Multi-tenant authorizer that supports:
- ACLs with TenantUser:clusterId_userId as principal
- ACLs with TenantUser*:clusterId_ as wildcard prefixed principal
- ACLs with User:* as wildcard principal (e.g. for brokers or users on other listeners)
- Resource patterns with literal resource names clusterId_resourceName
- Resource patterns with prefixed resource names clusterId_resourcePrefix
- Resource patterns with tenant wildcard resource names using prefixed name clusterId_
- Resource patterns with literal wildcard resource name "*" (e.g. for broker ACLs)
- Super users configured using the configuration option `super.users` (e.g. for broker principals)
- Tenant super users with access to all tenant resources using tenant principals with io.confluent.kafka.multitenant.TenantMetadata#isSuperUser enabled.
Use of tenant prefix:
- Clients configure ACLs for User:userId
- Multi-tenant interceptor transforms User:userId to TenantUser:clusterId_userId
- ACLs are stored internally in ZooKeeper for TenantUser:clusterId_userId
- When tenants describe ACLs, prefix is removed from response by the interceptor
- Multi-tenant principal builder generates tenant principal TenantUser:clusterId_userId
- Authorizer matches TenantUser principals in ACLs obtained from ZooKeeper against TenantUser session principal generated by the principal builder.
- Non-tenant principals (e.g broker principals) are of the form User:userId in ACLs as well as session principals
Assumptions:
- All tenant ACLs have principals and resource names with tenant prefix
- All non-tenant (e.g. broker) ACLs have principals and resource names that do not contain prefix of any tenant in the cluster
- Tenant principals have type TenantUser, others have type User

Constructor Summary

Constructors
Constructor and Description

TenantAclProvider()

Constructors
Constructor and Description
`TenantAclProvider()`

Method Summary

All Methods Instance Methods Concrete Methods
Modifier and Type	Method and Description
`void`	`addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules, org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Operation operation, io.confluent.security.authorizer.Scope resourceScope, io.confluent.security.authorizer.ResourceType resourceType)`
`Optional<org.apache.kafka.server.authorizer.Authorizer>`	`asAuthorizer()`
`void`	`close()`
`void`	`configure(Map<String,?> configs)`
`io.confluent.security.authorizer.provider.AuthorizeRule`	`findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal, Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals, String host, io.confluent.security.authorizer.Action action)`
`boolean`	`isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal, io.confluent.security.authorizer.Scope scope)`
`boolean`	`mayDeny()`
`String`	`providerName()`
`Set<String>`	`reconfigurableConfigs()`
`void`	`reconfigure(Map<String,?> configs)`
`CompletionStage<Void>`	`start(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo, Map<String,?> interBrokerListenerConfigs)`
`boolean`	`usesMetadataFromThisKafkaCluster()`
`void`	`validateReconfiguration(Map<String,?> configs)`

Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail
- TenantAclProvider
```
public TenantAclProvider()
```

Method Detail

configure
```
public void configure(Map<String,?> configs)
```
Specified by:

configure in interface org.apache.kafka.common.Configurable

reconfigurableConfigs
```
public Set<String> reconfigurableConfigs()
```
Specified by:

reconfigurableConfigs in interface org.apache.kafka.common.Reconfigurable

validateReconfiguration
```
public void validateReconfiguration(Map<String,?> configs)
                             throws org.apache.kafka.common.config.ConfigException
```
Specified by:

validateReconfiguration in interface org.apache.kafka.common.Reconfigurable

Throws:

org.apache.kafka.common.config.ConfigException

reconfigure
```
public void reconfigure(Map<String,?> configs)
```
Specified by:

reconfigure in interface org.apache.kafka.common.Reconfigurable

start

public CompletionStage<Void> start(org.apache.kafka.server.authorizer.internals.ConfluentAuthorizerServerInfo serverInfo,
                                   Map<String,?> interBrokerListenerConfigs)

Specified by:: start in interface io.confluent.security.authorizer.provider.Provider

providerName
```
public String providerName()
```
Specified by:

providerName in interface io.confluent.security.authorizer.provider.Provider

isSuperUser

public boolean isSuperUser(org.apache.kafka.common.security.auth.KafkaPrincipal principal,
                           io.confluent.security.authorizer.Scope scope)

Specified by:: isSuperUser in interface io.confluent.security.authorizer.provider.AccessRuleProvider

findRule

public io.confluent.security.authorizer.provider.AuthorizeRule findRule(org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
                                                                        Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                                                                        String host,
                                                                        io.confluent.security.authorizer.Action action)

Specified by:: findRule in interface io.confluent.security.authorizer.provider.AccessRuleProvider

addMatchingRules

public void addMatchingRules(io.confluent.security.authorizer.provider.ResourceAuthorizeRules matchingRules,
                             org.apache.kafka.common.security.auth.KafkaPrincipal sessionPrincipal,
                             Set<org.apache.kafka.common.security.auth.KafkaPrincipal> groupPrincipals,
                             String host,
                             io.confluent.security.authorizer.Operation operation,
                             io.confluent.security.authorizer.Scope resourceScope,
                             io.confluent.security.authorizer.ResourceType resourceType)

Specified by:: addMatchingRules in interface io.confluent.security.authorizer.provider.AccessRuleProvider

mayDeny
```
public boolean mayDeny()
```
Specified by:

mayDeny in interface io.confluent.security.authorizer.provider.AccessRuleProvider

usesMetadataFromThisKafkaCluster
```
public boolean usesMetadataFromThisKafkaCluster()
```
Specified by:

usesMetadataFromThisKafkaCluster in interface io.confluent.security.authorizer.provider.Provider

asAuthorizer
```
public Optional<org.apache.kafka.server.authorizer.Authorizer> asAuthorizer()
```
Specified by:

asAuthorizer in interface io.confluent.security.authorizer.provider.AccessRuleProvider

close
```
public void close()
           throws IOException
```
Specified by:

close in interface Closeable

Specified by:

close in interface AutoCloseable

Throws:

IOException

Class TenantAclProvider

Constructor Summary

Method Summary

Methods inherited from class java.lang.Object

Constructor Detail

TenantAclProvider

Method Detail

configure

reconfigurableConfigs

validateReconfiguration

reconfigure

start

providerName

isSuperUser

findRule

addMatchingRules

mayDeny

usesMetadataFromThisKafkaCluster

asAuthorizer

close