@InterfaceStability.Evolving public interface Authorizer extends Configurable, Closeable
start(AuthorizerServerInfo)
for each listener must return only when authorizer is ready to authorize requests on the listener.authorize(AuthorizableRequestContext, List)
to authorize
actions performed by the request.Reconfigurable
to enable dynamic reconfiguration without restarting the broker.
Threading model:
CompletableFuture.completedFuture(Object)
.
This ensures that the request will be handled synchronously by the caller without using a
purgatory to wait for the result. If ACL updates require remote communication which may block,
return a future that is completed asynchronously when the remote operation completes. This enables
the caller to process other requests on the request threads without blocking.start(AuthorizerServerInfo)
. These threads must be shutdown during Closeable.close()
.Modifier and Type | Method and Description |
---|---|
default int |
aclCount()
Get the current number of ACLs, for the purpose of metrics.
|
Iterable<AclBinding> |
acls(AclBindingFilter filter)
Returns ACL bindings which match the provided filter.
|
default Iterable<AclBinding> |
acls(AclBindingFilter filter,
AclState aclState) |
List<AuthorizationResult> |
authorize(AuthorizableRequestContext requestContext,
List<Action> actions)
Authorizes the specified action.
|
default AuthorizationResult |
authorizeByResourceType(AuthorizableRequestContext requestContext,
AclOperation op,
ResourceType resourceType)
Check if the caller is authorized to perform theĀ given ACL operation on at least one
resource of the given type.
|
default Optional<AuthorizerConfig> |
config() |
List<? extends CompletionStage<AclCreateResult>> |
createAcls(AuthorizableRequestContext requestContext,
List<AclBinding> aclBindings)
Creates new ACL bindings.
|
default List<? extends CompletionStage<AclCreateResult>> |
createAcls(AuthorizableRequestContext requestContext,
List<AclBinding> aclBindings,
Optional<String> clusterId)
Confluent extensions to Authorizer API
|
List<? extends CompletionStage<AclDeleteResult>> |
deleteAcls(AuthorizableRequestContext requestContext,
List<AclBindingFilter> aclBindingFilters)
Deletes all ACL bindings that match the provided filters.
|
default List<? extends CompletionStage<AclDeleteResult>> |
deleteAcls(AuthorizableRequestContext requestContext,
List<AclBindingFilter> aclBindingFilters,
Optional<String> clusterId,
AclState aclState) |
default void |
registerAclUpdateListener(AclUpdateListener aclUpdateListener)
Authorizers which supports Acl listeners for acl updates should implement this method.
|
Map<Endpoint,? extends CompletionStage<Void>> |
start(AuthorizerServerInfo serverInfo)
Starts loading authorization metadata and returns futures that can be used to wait until
metadata for authorizing requests on each listener is available.
|
configure
Map<Endpoint,? extends CompletionStage<Void>> start(AuthorizerServerInfo serverInfo)
serverInfo
- Metadata for the broker including broker id and listener endpointsList<AuthorizationResult> authorize(AuthorizableRequestContext requestContext, List<Action> actions)
This is a synchronous API designed for use with locally cached ACLs. Since this method is invoked on the request thread while processing each request, implementations of this method should avoid time-consuming remote communication that may block request threads.
requestContext
- Request context including request type, security protocol and listener nameactions
- Actions being authorized including resource and operation for each actionList<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext requestContext, List<AclBinding> aclBindings)
This is an asynchronous API that enables the caller to avoid blocking during the update. Implementations of this
API can return completed futures using CompletableFuture.completedFuture(Object)
to process the update synchronously on the request thread.
requestContext
- Request context if the ACL is being created by a broker to handle
a client request to create ACLs. This may be null if ACLs are created directly in ZooKeeper
using AclCommand.aclBindings
- ACL bindings to createList<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext requestContext, List<AclBindingFilter> aclBindingFilters)
This is an asynchronous API that enables the caller to avoid blocking during the update. Implementations of this
API can return completed futures using CompletableFuture.completedFuture(Object)
to process the update synchronously on the request thread.
Refer to the authorizer implementation docs for details on concurrent update guarantees.
requestContext
- Request context if the ACL is being deleted by a broker to handle
a client request to delete ACLs. This may be null if ACLs are deleted directly in ZooKeeper
using AclCommand.aclBindingFilters
- Filters to match ACL bindings that are to be deletedIterable<AclBinding> acls(AclBindingFilter filter)
This is a synchronous API designed for use with locally cached ACLs. This method is invoked on the request thread while processing DescribeAcls requests and should avoid time-consuming remote communication that may block request threads.
default List<? extends CompletionStage<AclCreateResult>> createAcls(AuthorizableRequestContext requestContext, List<AclBinding> aclBindings, Optional<String> clusterId)
default List<? extends CompletionStage<AclDeleteResult>> deleteAcls(AuthorizableRequestContext requestContext, List<AclBindingFilter> aclBindingFilters, Optional<String> clusterId, AclState aclState)
default Iterable<AclBinding> acls(AclBindingFilter filter, AclState aclState)
default int aclCount()
default AuthorizationResult authorizeByResourceType(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType)
requestContext
- Request context including request resourceType, security protocol and listener nameop
- The ACL operation to checkresourceType
- The resource type to checkAuthorizationResult.ALLOWED
if the caller is authorized
to perform the given ACL operation on at least one resource of the
given type. Return AuthorizationResult.DENIED
otherwise.default void registerAclUpdateListener(AclUpdateListener aclUpdateListener)
default Optional<AuthorizerConfig> config()