- XACML: eXtensisble Access Control Markup Language for access policies and access requests/responses, standardized by OASIS.
- PDP: Policy Decision Point, as defined in XACML standard.
- PAP: Policy Administration Point, as defined in XACML standard.
This project provides an Authorizer implementation for Apache Kafka that extends the Kafa's default authorizer (kafka.security.auth.SimpleAclAuthorizer
) to enable getting XACML authorization decisions from a XACML-enabled PDP's REST API as well, according to the REST Profile of XACML 3.0. AuthzForce Server and AuthzForce RESTful PDP both provide such REST API. Usually, the latter is enough for simple use cases, unless you need a PAP API, multi-tenancy, etc. in which case AuthzForce Server is a better fit (see the documentation for the full list of features)
In other terms, you can still use Kafka ACLs with this same authorizer as you would with the default one. XACML evaluation must be enabled explicitly by setting specific properties as described later below. XACML evaluation here stands for the extra process of getting a XACML authorization decision from a remote PDP according to the REST Profile of XACML 3.0.
The authorizer combines Kafka ACL evaluation with XACML evaluation as follows:
- If ACL evaluation returns Permit, return Permit.
- Else:
- If XACML evaluation is disabled, return Deny.
- Else: If and only if the result of XACML evaluation is Permit, return Permit.
Get the tar.gz
distribution from the latest release on the GitHub repository and extract the files to some folder, e.g. /opt/authzforce-ce-kafka-extensions
. You should have a lib
folder inside.
To enable the authorizer on Kafka, set the server's property:
authorizer.class.name=org.ow2.authzforce.kafka.pep.CombinedXacmlAclAuthorizer
To enable XACML evaluation, set the extra following authorizer properties:
org.ow2.authzforce.kafka.pep.xacml.pdp.url
: XACML PDP resource's URL, as defined by REST Profile of XACML 3.0, §2.2.2, e.g.https://serverhostname/services/pdp
for a AuthzForce RESTful PDP instance, orhttps://serverhostname/authzforce-ce/domains/XXX/pdp
for a domainXXX
on a AuthzForce Server instance.org.ow2.authzforce.kafka.pep.http.client.cfg.location
: location (URL supported by Spring {@link org.springframework.util.ResourceUtils}) of the HTTP client configuration as defined by Apache CXF format, required for SSL settingsorg.ow2.authzforce.kafka.pep.authz.cache.size.max
: maximum number of authorization decisions cached in memory (performance optimization). Cache disabled iff not strictly positive integer. If cache enabled and an access request matches a previous one in cache, the corresponding decision is retrieved from cache directly (no decision evaluation).org.ow2.authzforce.kafka.pep.xacml.req.tmpl.location
: location of a file that contains a Freemarker template of XACML Request formatted according to JSON Profile of XACML 3.0, in which you can use Freemarker expressions, enclosed between${
and}
, and have access to the following top-level variables from Kafka's authorization context:
Variable name | Variable type | Description |
---|---|---|
clientHost |
java.net.InetAddress | client/user host name or IP address |
principal |
org.apache.kafka.common.security.auth.KafkaPrincipal | user principal |
operation |
org.apache.kafka.common.acl.AclOperation | operation |
resourceType |
org.apache.kafka.common.resource.ResourceType | resource type |
resourceName |
String |
resource name |
For an example of XACML Request template, see the file request.xacml.json.ftl
in the source or in the same folder as this README if part of a release package (tar.gz). This example should be sufficient for most cases.
Make sure Zookeeper is started first:
~/DRIVER+/kafka_2.11-1.1.0$ bin/zookeeper-server-start.sh config/zookeeper.properties
Add the all JARs in the lib
folder extracted earlier (Installation section) to the CLASSPATH environment variable before starting Kafka, for example:
~/DRIVER+/kafka_2.11-1.1.0$ CLASSPATH=/opt/authzforce-ce-kafka-extensions/lib/* bin/kafka-server-start.sh config/server.properties
When calling poll(...) method, Java KafkaConsumers use DESCRIBE operation on topics to fetch topic metadata, before joining their consumer group (READ GROUP X) and reading topic data. Therefore, the Authorizer is unable to know the consumer group ID at this point. So group-based permissions cannot be used for topic metadata access control.
See issue #7.