When implementing a custom Authorizer, one has to map authorization requests coming from Kafka to a different backend system.
The following table lists all the authorization combinations that can come from Kafka as of 2.0:
...
Topic | Group | Cluster (singleton) | TransactionalId | DelegationToken | ||
---|---|---|---|---|---|---|
Produce | Write |
Produce (Idempotent) | Write |
IdempotentWrite |
Produce (Transactional) | Write |
Write |
Fetch (Follower) | Read |
ClusterAction |
Fetch (Consumer) | Read |
ListOffsets | Describe |
Metadata | Describe |
LeaderAndIsr |
ClusterAction |
StopReplica |
ClusterAction |
UpdateMetadata |
ClusterAction |
ControlledShutdown |
ClusterAction |
OffsetCommit | Read | Read |
OffsetFetch | Describe | Describe |
FindCoordinator (Group) |
Describe |
FindCoordinator (Transaction) |
Describe |
JoinGroup |
Read |
Heartbeat |
Read |
LeaveGroup |
Read |
SyncGroup |
Read |
DescribeGroups |
Describe |
ListGroups |
Describe |
SaslHandshake |
ApiVersions |
CreateTopics | Create (Added in 2.0) |
Create |
From 2.0 onwards, CREATE permission on Topic OR CREATE permission on Cluster is required. | |||
DeleteTopics | Delete |
DeleteRecords | Delete |
InitProducerId (Idempotent) |
IdempotentWrite |
InitProducerId (Transaction) |
Write |
OffsetsForLeaderEpoch |
ClusterAction |
AddPartitionsToTxn | Write |
Write |
AddOffsetsToTxn |
Read |
Write |
EndTxn |
Write |
WriteTxnMarkers |
ClusterAction |
TxnOffsetCommit | Read | Read |
Write |
DescribeAcls |
Describe |
CreateAcls |
Alter |
DeleteAcls |
Alter |
DescribeConfigs (Broker) |
DescribeConfigs |
DescribeConfigs (Topic) | DescribeConfigs |
AlterConfigs (Broker) |
AlterConfigs |
AlterConfigs (Topic) | AlterConfigs |
AlterReplicaLogDirs |
Alter |
DescribeLogDirs |
Describe |
SaslAuthenticate |
CreatePartitions | Alter |
CreateDeletegationToken |
RenewDelegationToken |
ExpireDelegationToken |
DescribeDelegationTokens |
Describe | ||||||
DeleteGroups |
Delete |
The following table lists all the authorization combinations that can come from Kafka as of 1.1.0:
...
Topic | Group | Cluster (singleton) | TransactionalId | DelegationToken | |
---|---|---|---|---|---|
Produce | Write |
Produce (Idempotent) | Write |
IdempotentWrite |
Produce (Transactional) | Write |
Write |
Fetch (Follower) | Read |
ClusterAction |
Fetch (Consumer) | Read |
ListOffsets | Describe |
Metadata | Describe |
LeaderAndIsr |
ClusterAction |
StopReplica |
ClusterAction |
UpdateMetadata |
ClusterAction |
ControlledShutdown |
ClusterAction |
OffsetCommit | Read | Read |
OffsetFetch | Describe | Describe |
FindCoordinator (Group) |
Describe |
FindCoordinator (Transaction) |
Describe |
JoinGroup |
Read |
Heartbeat |
Read |
LeaveGroup |
Read |
SyncGroup |
Read |
DescribeGroups |
Describe |
ListGroups |
Describe |
SaslHandshake |
ApiVersions |
CreateTopics |
Create |
DeleteTopics | Delete |
DeleteRecords | Delete |
InitProducerId (Idempotent) |
IdempotentWrite |
InitProducerId (Transaction) |
Write |
OffsetsForLeaderEpoch |
ClusterAction |
AddPartitionsToTxn | Write |
Write |
AddOffsetsToTxn |
Read |
Write |
EndTxn |
Write |
WriteTxnMarkers |
ClusterAction |
TxnOffsetCommit | Read | Read |
Write |
DescribeAcls |
Describe |
CreateAcls |
Alter |
DeleteAcls |
Alter |
DescribeConfigs (Broker) |
DescribeConfigs |
DescribeConfigs (Topic) | DescribeConfigs |
AlterConfigs (Broker) |
AlterConfigs |
AlterConfigs (Topic) | AlterConfigs |
AlterReplicaLogDirs |
Alter |
DescribeLogDirs |
Describe |
SaslAuthenticate |
CreatePartitions | Alter |
CreateDeletegationToken |
RenewDelegationToken |
ExpireDelegationToken |
DescribeDelegationTokens |
Describe | |||||
DeleteGroups |
Delete |