io.strimzi.kafka.oauth.server.authorizer

Class KeycloakRBACAuthorizer

java.lang.Object

io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer

All Implemented Interfaces:

java.io.Closeable, java.lang.AutoCloseable, org.apache.kafka.common.Configurable, org.apache.kafka.server.authorizer.Authorizer

Deprecated.

@Deprecated
public class KeycloakRBACAuthorizer
extends java.lang.Object
implements org.apache.kafka.server.authorizer.Authorizer

An authorizer that grants access based on security policies managed in Keycloak Authorization Services. It works in conjunction with JaasServerOauthValidatorCallbackHandler, and requires OAuthKafkaPrincipalBuilder to be configured as 'principal.builder.class' in 'server.properties' file.

To install this authorizer in Kafka, specify the following in your 'server.properties':

     authorizer.class.name=io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer
     principal.builder.class=io.strimzi.kafka.oauth.server.OAuthKafkaPrincipalBuilder
 

This authorizer only supports Kafka running in 'zookeeper' mode. It does not support 'KRaft' mode. There is a KeycloakAuthorizer class that auto-detects the environment and works both in 'KRaft' and 'zookeeper' mode, that should be used instead of this class.

There is additional configuration that needs to be specified in order for this authorizer to work.

Note: The following configuration keys can be specified as properties in Kafka `server.properties` file, or as ENV vars in which case an all-uppercase key name is also attempted with '.' replaced by '_' (e.g. STRIMZI_AUTHORIZATION_TOKEN_ENDPOINT_URI). They can also be specified as system properties. The priority is in reverse - system property overrides the ENV var, which overrides `server.properties`.

Required configuration:

• strimzi.authorization.token.endpoint.uri A URL of the Keycloak's token endpoint (e.g. https://keycloak:8443/auth/realms/master/protocol/openid-connect/token).
  If not present, oauth.token.endpoint.uri is used as a fallback configuration key to avoid unnecessary duplication when already present for the purpose of client authentication.
• strimzi.authorization.client.id A client id of the OAuth client definition in Keycloak, that has Authorization Services enabled.
  Typically it is called 'kafka'. If not present, oauth.client.id is used as a fallback configuration key to avoid unnecessary duplication when already present for the purpose of client authentication.

Optional configuration:

• strimzi.authorization.kafka.cluster.name The name of this cluster, used to target permissions to specific Kafka cluster, making it possible to manage multiple clusters within the same Keycloak realm.
  The default value is kafka-cluster.
• strimzi.authorization.delegate.to.kafka.acl Whether authorization decision should be delegated to ACLAuthorizer if DENIED by Keycloak Authorization Services policies.
  The default value is false.
• strimzi.authorization.grants.refresh.period.seconds The time interval for refreshing the grants of the active sessions. The scheduled job iterates over active sessions and fetches a fresh list of grants for each.
  The default value is 60.
• strimzi.authorization.grants.refresh.pool.size The number of threads used to fetch grants from token endpoint (in parallel).
  The default value is 5.
• strimzi.authorization.reuse.grants Set this option to 'false' if you want every new session to reload and cache new grants for the user rather than using existing ones from the cache. The default value is true
• strimzi.authorization.grants.max.idle.time.seconds The time limit in seconds of a cached grant not being accessed. After that time it will be evicted from grants cache to prevent possibly stale remnant sessions from consuming memory.
  The default value is 300.
• strimzi.authorization.grants.gc.period.seconds A time in seconds between two consecutive runs of the background job that evicts idle or expired grants from cache.
  The default value is 300.
• strimzi.authorization.http.retries The number of times to retry fetch grants from token endpoint.
  The retry is immediate without pausing due to the authorize() method holding up the Kafka worker thread. The default is 0 i.e. no retries.
• strimzi.authorization.connect.timeout.seconds The maximum time to wait when establishing the connection to the authorization server.
  The default value is 60. If not present, oauth.connect.timeout.seconds is used as a fallback configuration key to avoid unnecessary duplication when already present.
• strimzi.authorization.read.timeout.seconds The maximum time to wait to read the response from the authorization server after the connection has been established and request sent.
  The default value is 60. If not present, oauth.read.timeout.seconds is used as a fallback configuration key to avoid unnecessary duplication when already present.
• strimzi.authorization.enable.metrics Set this to 'true' to enable authorizer metrics.
  The default value is false. If not present, oauth.enable.metrics is used as a fallback configuration key to avoid unnecessary duplication when already present as ENV or a system property with intent to enable OAuth and Keycloak authorizer metrics at the broker level.

TLS configuration:

• strimzi.authorization.ssl.truststore.location The location of the truststore file on the filesystem.
  If not present, oauth.ssl.truststore.location is used as a fallback configuration key to avoid unnecessary duplication when already present for the purpose of client authentication.
• strimzi.authorization.ssl.truststore.password The password for the truststore.
  If not present, oauth.ssl.truststore.password is used as a fallback configuration key to avoid unnecessary duplication when already present for the purpose of client authentication.
• strimzi.authorization.ssl.truststore.type The truststore type.
  If not present, oauth.ssl.truststore.type is used as a fallback configuration key to avoid unnecessary duplication when already present for the purpose of client authentication. If not set, the Java KeyStore default type is used.
• strimzi.authorization.ssl.secure.random.implementation The random number generator implementation. See Java SDK documentation.
  If not present, oauth.ssl.secure.random.implementation is used as a fallback configuration key to avoid unnecessary duplication when already present for the purpose of client authentication. If not set, the Java platform SDK default is used.
• strimzi.authorization.ssl.endpoint.identification.algorithm Specify how to perform hostname verification. If set to empty string the hostname verification is turned off.
  If not present, oauth.ssl.endpoint.identification.algorithm is used as a fallback configuration key to avoid unnecessary duplication when already present for the purpose of client authentication. If not set, the default value is HTTPS which enforces hostname verification for server certificates.

This authorizer honors the super.users configuration. Super users are automatically granted any authorization request.

Constructor Summary

Constructors

Constructor and Description
KeycloakRBACAuthorizer() Deprecated. Create a new instance

Method Summary

Modifier and Type	Method and Description
java.lang.Iterable<org.apache.kafka.common.acl.AclBinding>	acls(org.apache.kafka.common.acl.AclBindingFilter filter) Deprecated.
java.util.List<org.apache.kafka.server.authorizer.AuthorizationResult>	authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, java.util.List<org.apache.kafka.server.authorizer.Action> actions) Deprecated. The method that makes the authorization decision.
void	close() Deprecated.
void	configure(java.util.Map<java.lang.String,?> configs) Deprecated.
java.util.List<? extends java.util.concurrent.CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>>	createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, java.util.List<org.apache.kafka.common.acl.AclBinding> aclBindings) Deprecated.
java.util.List<? extends java.util.concurrent.CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>>	deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext, java.util.List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters) Deprecated.
java.util.Map<org.apache.kafka.common.Endpoint,? extends java.util.concurrent.CompletionStage<java.lang.Void>>	start(org.apache.kafka.server.authorizer.AuthorizerServerInfo serverInfo) Deprecated.
java.lang.String	toString() Deprecated.

Methods inherited from class java.lang.Object

equals, getClass, hashCode, notify, notifyAll, wait, wait, wait

Methods inherited from interface org.apache.kafka.server.authorizer.Authorizer

aclCount, authorizeByResourceType

Constructor Detail

KeycloakRBACAuthorizer

public KeycloakRBACAuthorizer()

Deprecated.

Create a new instance

Method Detail

configure

public void configure(java.util.Map<java.lang.String,?> configs)

Deprecated.

Specified by:

configure in interface org.apache.kafka.common.Configurable

authorize

public java.util.List<org.apache.kafka.server.authorizer.AuthorizationResult> authorize(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext,
                                                                                        java.util.List<org.apache.kafka.server.authorizer.Action> actions)

Deprecated.

The method that makes the authorization decision.

We assume authorize() is thread-safe in a sense that there will not be two concurrent threads calling it at the same time for the same session.

Should that not be the case, the side effect could be to make more calls to token endpoint than necessary. Other than that it should not affect proper functioning of this authorizer.

Specified by:

authorize in interface org.apache.kafka.server.authorizer.Authorizer

Parameters:

requestContext - Request context including request type, security protocol and listener name

actions - Actions being authorized including resource and operation for each action

Returns:

List of authorization results for each action in the same order as the provided actions

close

public void close()

Deprecated.

Specified by:

close in interface java.io.Closeable

Specified by:

close in interface java.lang.AutoCloseable

start

public java.util.Map<org.apache.kafka.common.Endpoint,? extends java.util.concurrent.CompletionStage<java.lang.Void>> start(org.apache.kafka.server.authorizer.AuthorizerServerInfo serverInfo)

Deprecated.

Specified by:

start in interface org.apache.kafka.server.authorizer.Authorizer

createAcls

public java.util.List<? extends java.util.concurrent.CompletionStage<org.apache.kafka.server.authorizer.AclCreateResult>> createAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext,
                                                                                                                                     java.util.List<org.apache.kafka.common.acl.AclBinding> aclBindings)

Deprecated.

Specified by:

createAcls in interface org.apache.kafka.server.authorizer.Authorizer

deleteAcls

public java.util.List<? extends java.util.concurrent.CompletionStage<org.apache.kafka.server.authorizer.AclDeleteResult>> deleteAcls(org.apache.kafka.server.authorizer.AuthorizableRequestContext requestContext,
                                                                                                                                     java.util.List<org.apache.kafka.common.acl.AclBindingFilter> aclBindingFilters)

Deprecated.

Specified by:

deleteAcls in interface org.apache.kafka.server.authorizer.Authorizer

acls

public java.lang.Iterable<org.apache.kafka.common.acl.AclBinding> acls(org.apache.kafka.common.acl.AclBindingFilter filter)

Deprecated.

Specified by:

acls in interface org.apache.kafka.server.authorizer.Authorizer

toString

public java.lang.String toString()

Deprecated.

Overrides:

toString in class java.lang.Object