org.apache.kafka.common.security.auth

Class ConfluentPrincipal

java.lang.Object

org.apache.kafka.common.security.auth.KafkaPrincipal

org.apache.kafka.common.security.auth.ConfluentPrincipal

All Implemented Interfaces:

Principal

public class ConfluentPrincipal
extends KafkaPrincipal

ConfluentPrincipal extends KafkaPrincipal to provide extra utility for principals.

1. authorizationIds store all the authorization ids in one list which contributes to the authorization. Currently, this list contains may_act.principals + integerId in the case of the confluent token in the Confluent cloud and for any other mechanism, it contains the name of KafkaPrincipal.getName().
2. groups this is specific to Confluent Platform. As part of OAuth support to Confluent Platform, groups can be obtained from the Oauth token. And these group principals are also used in final authorization.
authorizationIds and groups can't be mixed as of now.
3. identityMetadata this is specific to confluent cloud. It is used in Audit log in case of Oauth authentication.

Field Summary

Fields

Modifier and Type	Field and Description
static String	GROUP_TYPE

Fields inherited from class org.apache.kafka.common.security.auth.KafkaPrincipal

ANONYMOUS, USER_TYPE

Constructor Summary

Constructors

Constructor and Description
ConfluentPrincipal(String principalType, String name, String authenticationId)
ConfluentPrincipal(String principalType, String name, String authenticationId, boolean delegationTokenAuthenticated)
ConfluentPrincipal(String principalType, String name, String authenticationId, Optional<String> networkId, boolean delegationTokenAuthenticated, Set<String> groups)
ConfluentPrincipal(String principalType, String name, String authenticationId, Optional<String> networkId, boolean delegationTokenAuthenticated, Set<String> groups, List<String> authorizationIds, IdentityMetadata identityMetadata) authorizationIds: Contains list of ids used in authorization.

Method Summary

Modifier and Type	Method and Description
String	authenticationId() Returns the public credential (e.g.
List<String>	authorizationIds() Returns list of ids which will be used to authorize to request.
boolean	equals(Object o)
Set<String>	getGroups() Returns the principal groups if provided during authentication.
int	hashCode()
IdentityMetadata	identityMetadata()
Optional<IdentityMetadata>	maybeGetIdentityMetadata()
Optional<String>	networkId() Returns the networkId if available, where the authentication request originated from.

Methods inherited from class org.apache.kafka.common.security.auth.KafkaPrincipal

getName, getPrincipalType, tokenAuthenticated, tokenAuthenticated, toString

Methods inherited from class java.lang.Object

getClass, notify, notifyAll, wait, wait, wait

Methods inherited from interface java.security.Principal

implies

Field Detail

GROUP_TYPE

public static final String GROUP_TYPE

See Also:

Constant Field Values

Constructor Detail

ConfluentPrincipal

public ConfluentPrincipal(String principalType,
                          String name,
                          String authenticationId)

ConfluentPrincipal

public ConfluentPrincipal(String principalType,
                          String name,
                          String authenticationId,
                          boolean delegationTokenAuthenticated)

ConfluentPrincipal

public ConfluentPrincipal(String principalType,
                          String name,
                          String authenticationId,
                          Optional<String> networkId,
                          boolean delegationTokenAuthenticated,
                          Set<String> groups)

ConfluentPrincipal

public ConfluentPrincipal(String principalType,
                          String name,
                          String authenticationId,
                          Optional<String> networkId,
                          boolean delegationTokenAuthenticated,
                          Set<String> groups,
                          List<String> authorizationIds,
                          IdentityMetadata identityMetadata)

authorizationIds: Contains list of ids used in authorization. Authorization will be decided by following rule - If any id in the list have deny permission result will be denied - else if any id have allow permission result will allowed

Method Detail

identityMetadata

public IdentityMetadata identityMetadata()

maybeGetIdentityMetadata

public Optional<IdentityMetadata> maybeGetIdentityMetadata()

authenticationId

public String authenticationId()

Returns the public credential (e.g. user name) if available. If not configured, the principal name is returned.

networkId

public Optional<String> networkId()

Returns the networkId if available, where the authentication request originated from.

authorizationIds

public List<String> authorizationIds()

Returns list of ids which will be used to authorize to request.

getGroups

public Set<String> getGroups()

Returns the principal groups if provided during authentication.

equals

public boolean equals(Object o)

Specified by:

equals in interface Principal

Overrides:

equals in class KafkaPrincipal

hashCode

public int hashCode()

Specified by:

hashCode in interface Principal

Overrides:

hashCode in class KafkaPrincipal