Package io.strimzi.kafka.oauth.server.authorizer

Class KeycloakAuthorizer

java.lang.Object
io.strimzi.kafka.oauth.server.authorizer.KeycloakAuthorizer
All Implemented Interfaces:
Closeable, AutoCloseable, org.apache.kafka.common.Configurable, org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer, org.apache.kafka.server.authorizer.Authorizer
public class KeycloakAuthorizer extends Object implements org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer
An authorizer using Keycloak Authorization Services that supports KRaft mode.

In KRaft mode multiple instances of this class can be instantiated, and each needs its own instance of StandardAuthorizer for delegating authorization to Kafka ACL implementation.

This authorizer automatically sets up appropriate Kafka ACL delegation classes if delegation is enabled. All authorization logic is delegated to KeycloakRBACAuthorizer of which a single instance is created and shared between all instances of this class.

To install this authorizer in Kafka, specify the following in your 'server.properties': 

     authorizer.class.name=io.strimzi.kafka.oauth.server.authorizer.KeycloakAuthorizer
     principal.builder.class=io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder

Configuration options are the same as for KeycloakRBACAuthorizer.

  • Constructor Summary

    Constructors
    Constructor
    Description
    KeycloakAuthorizer()
     

  • Method Summary

    Modifier and Type
    Method
    Description
    int
    aclCount()
     
    org.apache.kafka.metadata.authorizer.AclMutator
    aclMutatorOrException()
     
    Iterable<org.apache.kafka.common.acl.AclBinding>
    acls(org.apache.kafka.common.acl.AclBindingFilter filter)
     
    void
    addAcl(org.apache.kafka.common.Uuid id, org.apache.kafka.metadata.authorizer.StandardAcl acl)
     
    List<org.apache.kafka.server.authorizer.AuthorizationResult>
    authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.server.authorizer.Action> actions)
     
    org.apache.kafka.server.authorizer.AuthorizationResult
    authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, org.apache.kafka.common.acl.AclOperation op, org.apache.kafka.common.resource.ResourceType resourceType)
     
    void
    close()
     
    void
    completeInitialLoad()
     
    void
    completeInitialLoad(Exception e)
     
    void
    configure(Map<String,?> configs)
     
    List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>>
    createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings)
     
    List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>>
    deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters)
     
    void
    loadSnapshot(Map<org.apache.kafka.common.Uuid,org.apache.kafka.metadata.authorizer.StandardAcl> acls)
     
    void
    removeAcl(org.apache.kafka.common.Uuid id)
     
    void
    setAclMutator(org.apache.kafka.metadata.authorizer.AclMutator aclMutator)
     
    Map<org.apache.kafka.common.Endpoint,? extends CompletionStage<Void>>
    start(org.apache.kafka.server.authorizer.AuthorizerServerInfo serverInfo)
     
    String
    toString()
     

    Methods inherited from class java.lang.Object

    equals, getClass, hashCode, notify, notifyAll, wait, wait, wait

  • Constructor Details

    • KeycloakAuthorizer

      public KeycloakAuthorizer()

  • Method Details

    • configure

      public void configure(Map<String,?> configs)
      Specified by:
      configure in interface org.apache.kafka.common.Configurable

    • start

      public Map<org.apache.kafka.common.Endpoint,? extends CompletionStage<Void>> start(org.apache.kafka.server.authorizer.AuthorizerServerInfo serverInfo)
      Specified by:
      start in interface org.apache.kafka.server.authorizer.Authorizer

    • setAclMutator

      public void setAclMutator(org.apache.kafka.metadata.authorizer.AclMutator aclMutator)
      Specified by:
      setAclMutator in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • aclMutatorOrException

      public org.apache.kafka.metadata.authorizer.AclMutator aclMutatorOrException()
      Specified by:
      aclMutatorOrException in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • completeInitialLoad

      public void completeInitialLoad()
      Specified by:
      completeInitialLoad in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • completeInitialLoad

      public void completeInitialLoad(Exception e)
      Specified by:
      completeInitialLoad in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • loadSnapshot

      public void loadSnapshot(Map<org.apache.kafka.common.Uuid,org.apache.kafka.metadata.authorizer.StandardAcl> acls)
      Specified by:
      loadSnapshot in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • addAcl

      public void addAcl(org.apache.kafka.common.Uuid id, org.apache.kafka.metadata.authorizer.StandardAcl acl)
      Specified by:
      addAcl in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • removeAcl

      public void removeAcl(org.apache.kafka.common.Uuid id)
      Specified by:
      removeAcl in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • acls

      public Iterable<org.apache.kafka.common.acl.AclBinding> acls(org.apache.kafka.common.acl.AclBindingFilter filter)
      Specified by:
      acls in interface org.apache.kafka.server.authorizer.Authorizer

    • createAcls

      public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBinding> aclBindings)
      Specified by:
      createAcls in interface org.apache.kafka.server.authorizer.Authorizer
      Specified by:
      createAcls in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • deleteAcls

      public List<? extends CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters)
      Specified by:
      deleteAcls in interface org.apache.kafka.server.authorizer.Authorizer
      Specified by:
      deleteAcls in interface org.apache.kafka.metadata.authorizer.ClusterMetadataAuthorizer

    • aclCount

      public int aclCount()
      Specified by:
      aclCount in interface org.apache.kafka.server.authorizer.Authorizer

    • authorizeByResourceType

      public org.apache.kafka.server.authorizer.AuthorizationResult authorizeByResourceType(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, org.apache.kafka.common.acl.AclOperation op, org.apache.kafka.common.resource.ResourceType resourceType)
      Specified by:
      authorizeByResourceType in interface org.apache.kafka.server.authorizer.Authorizer

    • authorize

      public List<org.apache.kafka.server.authorizer.AuthorizationResult> authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, List<org.apache.kafka.server.authorizer.Action> actions)
      Specified by:
      authorize in interface org.apache.kafka.server.authorizer.Authorizer

    • close

      public void close() throws IOException
      Specified by:
      close in interface AutoCloseable
      Specified by:
      close in interface Closeable
      Throws:
      IOException

    • toString

      public String toString()
      Overrides:
      toString in class Object