Interface Authorizer
-
- All Superinterfaces:
java.lang.AutoCloseable
,java.io.Closeable
,Configurable
@Evolving public interface Authorizer extends Configurable, java.io.Closeable
Pluggable authorizer interface for Kafka brokers. Startup sequence in brokers:- Broker creates authorizer instance if configured in `authorizer.class.name`.
- Broker configures and starts authorizer instance. Authorizer implementation starts loading its metadata.
- Broker starts SocketServer to accept connections and process requests.
- For each listener, SocketServer waits for authorization metadata to be available in the
authorizer before accepting connections. The future returned by
start(AuthorizerServerInfo)
for each listener must return only when authorizer is ready to authorize requests on the listener. - Broker accepts connections. For each connection, broker performs authentication and then accepts Kafka requests.
For each request, broker invokes
authorize(AuthorizableRequestContext, List)
to authorize actions performed by the request.
Reconfigurable
to enable dynamic reconfiguration without restarting the broker.Threading model:
- All authorizer operations including authorization and ACL updates must be thread-safe.
- ACL update methods are asynchronous. Implementations with low update latency may return a
completed future using
CompletableFuture.completedFuture(Object)
. This ensures that the request will be handled synchronously by the caller without using a purgatory to wait for the result. If ACL updates require remote communication which may block, return a future that is completed asynchronously when the remote operation completes. This enables the caller to process other requests on the request threads without blocking. - Any threads or thread pools used for processing remote operations asynchronously can be started during
start(AuthorizerServerInfo)
. These threads must be shutdown duringCloseable.close()
.
-
-
Method Summary
All Methods Instance Methods Abstract Methods Modifier and Type Method Description java.lang.Iterable<AclBinding>
acls(AclBindingFilter filter)
Returns ACL bindings which match the provided filter.java.util.List<AuthorizationResult>
authorize(AuthorizableRequestContext requestContext, java.util.List<Action> actions)
Authorizes the specified action.java.util.List<? extends java.util.concurrent.CompletionStage<AclCreateResult>>
createAcls(AuthorizableRequestContext requestContext, java.util.List<AclBinding> aclBindings)
Creates new ACL bindings.java.util.List<? extends java.util.concurrent.CompletionStage<AclDeleteResult>>
deleteAcls(AuthorizableRequestContext requestContext, java.util.List<AclBindingFilter> aclBindingFilters)
Deletes all ACL bindings that match the provided filters.java.util.Map<Endpoint,? extends java.util.concurrent.CompletionStage<java.lang.Void>>
start(AuthorizerServerInfo serverInfo)
Starts loading authorization metadata and returns futures that can be used to wait until metadata for authorizing requests on each listener is available.-
Methods inherited from interface org.apache.kafka.common.Configurable
configure
-
-
-
-
Method Detail
-
start
java.util.Map<Endpoint,? extends java.util.concurrent.CompletionStage<java.lang.Void>> start(AuthorizerServerInfo serverInfo)
Starts loading authorization metadata and returns futures that can be used to wait until metadata for authorizing requests on each listener is available. Each listener will be started only after its metadata is available and authorizer is ready to start authorizing requests on that listener.- Parameters:
serverInfo
- Metadata for the broker including broker id and listener endpoints- Returns:
- CompletionStage for each endpoint that completes when authorizer is ready to start authorizing requests on that listener.
-
authorize
java.util.List<AuthorizationResult> authorize(AuthorizableRequestContext requestContext, java.util.List<Action> actions)
Authorizes the specified action. Additional metadata for the action is specified in `requestContext`.This is a synchronous API designed for use with locally cached ACLs. Since this method is invoked on the request thread while processing each request, implementations of this method should avoid time-consuming remote communication that may block request threads.
- Parameters:
requestContext
- Request context including request type, security protocol and listener nameactions
- Actions being authorized including resource and operation for each action- Returns:
- List of authorization results for each action in the same order as the provided actions
-
createAcls
java.util.List<? extends java.util.concurrent.CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext requestContext, java.util.List<AclBinding> aclBindings)
Creates new ACL bindings.This is an asynchronous API that enables the caller to avoid blocking during the update. Implementations of this API can return completed futures using
CompletableFuture.completedFuture(Object)
to process the update synchronously on the request thread.- Parameters:
requestContext
- Request context if the ACL is being created by a broker to handle a client request to create ACLs. This may be null if ACLs are created directly in ZooKeeper using AclCommand.aclBindings
- ACL bindings to create- Returns:
- Create result for each ACL binding in the same order as in the input list. Each result is returned as a CompletionStage that completes when the result is available.
-
deleteAcls
java.util.List<? extends java.util.concurrent.CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext requestContext, java.util.List<AclBindingFilter> aclBindingFilters)
Deletes all ACL bindings that match the provided filters.This is an asynchronous API that enables the caller to avoid blocking during the update. Implementations of this API can return completed futures using
CompletableFuture.completedFuture(Object)
to process the update synchronously on the request thread.Refer to the authorizer implementation docs for details on concurrent update guarantees.
- Parameters:
requestContext
- Request context if the ACL is being deleted by a broker to handle a client request to delete ACLs. This may be null if ACLs are deleted directly in ZooKeeper using AclCommand.aclBindingFilters
- Filters to match ACL bindings that are to be deleted- Returns:
- Delete result for each filter in the same order as in the input list. Each result indicates which ACL bindings were actually deleted as well as any bindings that matched but could not be deleted. Each result is returned as a CompletionStage that completes when the result is available.
-
acls
java.lang.Iterable<AclBinding> acls(AclBindingFilter filter)
Returns ACL bindings which match the provided filter.This is a synchronous API designed for use with locally cached ACLs. This method is invoked on the request thread while processing DescribeAcls requests and should avoid time-consuming remote communication that may block request threads.
- Returns:
- Iterator for ACL bindings, which may be populated lazily.
-
-