When implementing a custom Authorizer, one has to map authorization requests coming from Kafka to a different backend system.


The following table lists all the authorization combinations that can come from Kafka as of 2.0:



TopicGroupCluster (singleton)TransactionalIdDelegationToken
ProduceWrite




Produce (Idempotent)Write
IdempotentWrite


Produce (Transactional)Write

Write

Fetch (Follower)

Read
ClusterAction


Fetch (Consumer)Read




ListOffsetsDescribe




MetadataDescribe




LeaderAndIsr

ClusterAction


StopReplica

ClusterAction


UpdateMetadata

ClusterAction


ControlledShutdown

ClusterAction


OffsetCommitReadRead



OffsetFetchDescribeDescribe



FindCoordinator (Group)
Describe



FindCoordinator (Transaction)


Describe

JoinGroup
Read



Heartbeat
Read



LeaveGroup
Read



SyncGroup
Read



DescribeGroups
Describe



ListGroups

Describe


SaslHandshake





ApiVersions





CreateTopicsCreate (Added in 2.0)
Create

From 2.0 onwards, CREATE permission on Topic OR

CREATE permission on Cluster is required.

DeleteTopicsDelete




DeleteRecordsDelete




InitProducerId (Idempotent)

IdempotentWrite


InitProducerId (Transaction)


Write

OffsetsForLeaderEpoch

ClusterAction


AddPartitionsToTxnWrite

Write

AddOffsetsToTxn
Read
Write

EndTxn


Write

WriteTxnMarkers

ClusterAction


TxnOffsetCommitReadRead
Write

DescribeAcls

Describe


CreateAcls

Alter


DeleteAcls

Alter


DescribeConfigs (Broker)

DescribeConfigs


DescribeConfigs (Topic)DescribeConfigs




AlterConfigs (Broker)



AlterConfigs


AlterConfigs (Topic)AlterConfigs




AlterReplicaLogDirs

Alter


DescribeLogDirs

Describe


SaslAuthenticate





CreatePartitionsAlter




CreateDeletegationToken





RenewDelegationToken





ExpireDelegationToken





DescribeDelegationTokens



Describe
DeleteGroups
Delete




The following table lists all the authorization combinations that can come from Kafka as of 1.1.0:



TopicGroupCluster (singleton)TransactionalIdDelegationToken
ProduceWrite



Produce (Idempotent)Write
IdempotentWrite

Produce (Transactional)Write

Write

Fetch (Follower)

Read
ClusterAction

Fetch (Consumer)Read



ListOffsetsDescribe



MetadataDescribe



LeaderAndIsr

ClusterAction

StopReplica

ClusterAction

UpdateMetadata

ClusterAction

ControlledShutdown

ClusterAction

OffsetCommitReadRead


OffsetFetchDescribeDescribe


FindCoordinator (Group)
Describe


FindCoordinator (Transaction)


Describe
JoinGroup
Read


Heartbeat
Read


LeaveGroup
Read


SyncGroup
Read


DescribeGroups
Describe


ListGroups

Describe

SaslHandshake




ApiVersions




CreateTopics

Create

DeleteTopicsDelete



DeleteRecordsDelete



InitProducerId (Idempotent)

IdempotentWrite

InitProducerId (Transaction)


Write
OffsetsForLeaderEpoch

ClusterAction

AddPartitionsToTxnWrite

Write
AddOffsetsToTxn
Read
Write
EndTxn


Write
WriteTxnMarkers

ClusterAction

TxnOffsetCommitReadRead
Write
DescribeAcls

Describe

CreateAcls

Alter

DeleteAcls

Alter

DescribeConfigs (Broker)

DescribeConfigs

DescribeConfigs (Topic)DescribeConfigs



AlterConfigs (Broker)



AlterConfigs

AlterConfigs (Topic)AlterConfigs



AlterReplicaLogDirs

Alter

DescribeLogDirs

Describe

SaslAuthenticate




CreatePartitionsAlter



CreateDeletegationToken




RenewDelegationToken




ExpireDelegationToken




DescribeDelegationTokens



Describe
DeleteGroups
Delete


  • No labels