When implementing a custom Authorizer, one has to map authorization requests coming from Kafka to a different backend system.
The following table lists all the authorization combinations that can come from Kafka as of 2.0:
Topic | Group | Cluster (singleton) | TransactionalId | DelegationToken | ||
---|---|---|---|---|---|---|
Produce | Write | |||||
Produce (Idempotent) | Write | IdempotentWrite | ||||
Produce (Transactional) | Write | Write | ||||
Fetch (Follower) | Read | ClusterAction | ||||
Fetch (Consumer) | Read | |||||
ListOffsets | Describe | |||||
Metadata | Describe | |||||
LeaderAndIsr | ClusterAction | |||||
StopReplica | ClusterAction | |||||
UpdateMetadata | ClusterAction | |||||
ControlledShutdown | ClusterAction | |||||
OffsetCommit | Read | Read | ||||
OffsetFetch | Describe | Describe | ||||
FindCoordinator (Group) | Describe | |||||
FindCoordinator (Transaction) | Describe | |||||
JoinGroup | Read | |||||
Heartbeat | Read | |||||
LeaveGroup | Read | |||||
SyncGroup | Read | |||||
DescribeGroups | Describe | |||||
ListGroups | Describe | |||||
SaslHandshake | ||||||
ApiVersions | ||||||
CreateTopics | Create (Added in 2.0) | Create | From 2.0 onwards, CREATE permission on Topic OR CREATE permission on Cluster is required. | |||
DeleteTopics | Delete | |||||
DeleteRecords | Delete | |||||
InitProducerId (Idempotent) | IdempotentWrite | |||||
InitProducerId (Transaction) | Write | |||||
OffsetsForLeaderEpoch | ClusterAction | |||||
AddPartitionsToTxn | Write | Write | ||||
AddOffsetsToTxn | Read | Write | ||||
EndTxn | Write | |||||
WriteTxnMarkers | ClusterAction | |||||
TxnOffsetCommit | Read | Read | Write | |||
DescribeAcls | Describe | |||||
CreateAcls | Alter | |||||
DeleteAcls | Alter | |||||
DescribeConfigs (Broker) | DescribeConfigs | |||||
DescribeConfigs (Topic) | DescribeConfigs | |||||
AlterConfigs (Broker) | AlterConfigs | |||||
AlterConfigs (Topic) | AlterConfigs | |||||
AlterReplicaLogDirs | Alter | |||||
DescribeLogDirs | Describe | |||||
SaslAuthenticate | ||||||
CreatePartitions | Alter | |||||
CreateDeletegationToken | ||||||
RenewDelegationToken | ||||||
ExpireDelegationToken | ||||||
DescribeDelegationTokens | Describe | |||||
DeleteGroups | Delete |
The following table lists all the authorization combinations that can come from Kafka as of 1.1.0:
Topic | Group | Cluster (singleton) | TransactionalId | DelegationToken | |
---|---|---|---|---|---|
Produce | Write | ||||
Produce (Idempotent) | Write | IdempotentWrite | |||
Produce (Transactional) | Write | Write | |||
Fetch (Follower) | Read | ClusterAction | |||
Fetch (Consumer) | Read | ||||
ListOffsets | Describe | ||||
Metadata | Describe | ||||
LeaderAndIsr | ClusterAction | ||||
StopReplica | ClusterAction | ||||
UpdateMetadata | ClusterAction | ||||
ControlledShutdown | ClusterAction | ||||
OffsetCommit | Read | Read | |||
OffsetFetch | Describe | Describe | |||
FindCoordinator (Group) | Describe | ||||
FindCoordinator (Transaction) | Describe | ||||
JoinGroup | Read | ||||
Heartbeat | Read | ||||
LeaveGroup | Read | ||||
SyncGroup | Read | ||||
DescribeGroups | Describe | ||||
ListGroups | Describe | ||||
SaslHandshake | |||||
ApiVersions | |||||
CreateTopics | Create | ||||
DeleteTopics | Delete | ||||
DeleteRecords | Delete | ||||
InitProducerId (Idempotent) | IdempotentWrite | ||||
InitProducerId (Transaction) | Write | ||||
OffsetsForLeaderEpoch | ClusterAction | ||||
AddPartitionsToTxn | Write | Write | |||
AddOffsetsToTxn | Read | Write | |||
EndTxn | Write | ||||
WriteTxnMarkers | ClusterAction | ||||
TxnOffsetCommit | Read | Read | Write | ||
DescribeAcls | Describe | ||||
CreateAcls | Alter | ||||
DeleteAcls | Alter | ||||
DescribeConfigs (Broker) | DescribeConfigs | ||||
DescribeConfigs (Topic) | DescribeConfigs | ||||
AlterConfigs (Broker) | AlterConfigs | ||||
AlterConfigs (Topic) | AlterConfigs | ||||
AlterReplicaLogDirs | Alter | ||||
DescribeLogDirs | Describe | ||||
SaslAuthenticate | |||||
CreatePartitions | Alter | ||||
CreateDeletegationToken | |||||
RenewDelegationToken | |||||
ExpireDelegationToken | |||||
DescribeDelegationTokens | Describe | ||||
DeleteGroups | Delete |