Status

Current state: Under DiscussionClosed (Covered by KIP-189)

Discussion thread: (Original Archive) (Markmail)

...

This KIP introduces a change to Session class to accept a parameter of Java Principal type  instead of KafkaPrincipal type.

This change will not affect the default ACL Authorizer (SimpleAclAuthorizer) as we would generate a KafkaPrincipal from the Java Principal in the default Authorizer.

Proposed Changes

• Change the Session class to accept a parameter of type Java Principal instead of KafkaPrincipal.

  Code Block
  language java theme Midnight
  case class Session(principal: Principal, clientAddress: InetAddress)

• The Authorizer can access this principal object as follows :

  Code Block
  language java theme Midnight
  public boolean authorize(RequestChannel.Session session, Operation operation, Resource resource) { ... Principal principal = session.principal(); User_Defined_Principal principal = (User_Defined_Principal) principal; ... }

• User_Defined_Principal is the Principal generated by the PrincipalBuilder and it implements Java Principal.

...

Rejected Alternatives

Alternative 1 :

• Kafka-acls.sh will allow to specify a custom PrincipalBuilder using a new command line parameter "-- principalBuilder" and PrincipalBuilder configs using a new command line parameter "--principalBuilder-properties". Users can use these to build their custom Principal (that implements Java Principal). Add a new API to PrincipalBuilder Interface :

  Code Block
  language java theme Midnight
  public interface PrincipalBuilder extends Configurable { ... /** * Build a Principal using name. * * @param name Principal name * @return Principal */ Principal buildPrincipal(String name); ... }

• This PrincipalBuilder API will then be used to generate a Principal using the names specified in --allow-principal and --deny-principal parameters. This Principal can be included in KafkaPrincipal using the new constructor specified above.
• This alternative was rejected due to following reasons :

  1. Since the Principal is built using the "--principalBuilder-properties", users can only specify a particular type of Principal(s) (using --allow-principal / --deny-principal) at a time.

  2. If users want to specify multiple types of Principals, they will have to run the kafka-acls.sh multiple times with different "--principalBuilder-properties", even if the Principals might have the same name. For example, we can have a service Principal with name "XYZ" and a user Principal with name "XYZ".

• Due to above reasons, it is quite clear that it is less user friendly and not intuitive.

Alternative 2 :

• Changes to kafka-acls.sh

  • Kafka-acls.sh will allow to specify a custom PrincipalBuilder class using a new command line parameter "-- principalBuilder" and PrincipalBuilder configs using a new command line parameter "--principalBuilder-properties".

  • The "--allow-principal" will take list of properties as follows :

    Code Block
    language java theme Midnight
    bin/kafka-acls.sh ...... --principalBuilder <PrincipalBuilder-class> --principalBuilder-properties <PrincipalBuilder-properties> --add --allow-principal <principal-properties> --allow-principal <principal-properties> ...... --operations Read,Write --topic Test-topic

  • Add a new API to PrincipalBuilder :

    Code Block
    language java theme Midnight
    public interface PrincipalBuilder extends Configurable { ... /** * Build a Principal using the provided configs. * * @param principalConfigs configs used to create the Principal * @return Principal */ Principal buildPrincipal(Map<String, ?> principalConfigs); ... }

  • The specified PrincipalBuilder class will be responsible for building the Principal using the <principal-properties>.
  • The Principal generated by this PrincipalBuilder can then be included in KafkaPrincipal using the new constructor specified above.

  • The "--principalBuilder" and "--principalBuilder-properties" parameters are optional. If its not specified, the Kafka-acls.sh would still work as it does today.

• This was rejected as per discussions on the email thread as this is a nice to have feature but there is no urgent need for this.

...