Package org.apache.kafka.common.security.auth

Class ConfluentPrincipal

java.lang.Object
org.apache.kafka.common.security.auth.KafkaPrincipal
org.apache.kafka.common.security.auth.ConfluentPrincipal
All Implemented Interfaces:
Principal
public class ConfluentPrincipal extends KafkaPrincipal
ConfluentPrincipal extends KafkaPrincipal to provide extra utility for principals.
  1. authorizationIds store all the authorization ids in one list which contributes to the authorization. Currently, this list contains may_act.principals + integerId in the case of the confluent token in the Confluent cloud and for any other mechanism, it contains the name of KafkaPrincipal.getName().
  2. groups this is specific to Confluent Platform. As part of OAuth support to Confluent Platform, groups can be obtained from the Oauth token. And these group principals are also used in final authorization.
    3. authorizationIds and groups can't be mixed as of now.
  3. identityMetadata this is specific to confluent cloud. It is used in Audit log in case of Oauth authentication.

  • Field Details

  • Constructor Details

    • ConfluentPrincipal

      public ConfluentPrincipal(String principalType, String name, String authenticationId)

    • ConfluentPrincipal

      public ConfluentPrincipal(String principalType, String name, String authenticationId, boolean delegationTokenAuthenticated)

    • ConfluentPrincipal

      public ConfluentPrincipal(String principalType, String name, String authenticationId, Optional<String> networkId, boolean delegationTokenAuthenticated, Set<String> groups)

    • ConfluentPrincipal

      public ConfluentPrincipal(String principalType, String name, String authenticationId, Optional<String> networkId, boolean delegationTokenAuthenticated, Set<String> groups, List<String> authorizationIds, IdentityMetadata identityMetadata)
      authorizationIds: Contains list of ids used in authorization. Authorization will be decided by following rule - If any id in the list have deny permission result will be denied - else if any id have allow permission result will allowed

  • Method Details

    • identityMetadata

      public IdentityMetadata identityMetadata()

    • maybeGetIdentityMetadata

      public Optional<IdentityMetadata> maybeGetIdentityMetadata()

    • authenticationId

      public String authenticationId()
      Returns the public credential (e.g. user name) if available. If not configured, the principal name is returned.

    • networkId

      public Optional<String> networkId()
      Returns the networkId if available, where the authentication request originated from.

    • authorizationIds

      public List<String> authorizationIds()
      Returns list of ids which will be used to authorize to request.

    • getGroups

      public Set<String> getGroups()
      Returns the principal groups if provided during authentication.

    • equals

      public boolean equals(Object o)
      Specified by:
      equals in interface Principal
      Overrides:
      equals in class KafkaPrincipal

    • hashCode

      public int hashCode()
      Specified by:
      hashCode in interface Principal
      Overrides:
      hashCode in class KafkaPrincipal