Skip to content

Apache Kafka Authorizer (KIP-11) supporting both Kafka ACL and XACML (ABAC) policy evaluation

License

Notifications You must be signed in to change notification settings

DRIVER-EU/kafka-combined-acl-xacml-authorizer

Repository files navigation

XACML-enabled Authorizer for Apache Kafka

Terms

  • XACML: eXtensisble Access Control Markup Language for access policies and access requests/responses, standardized by OASIS.
  • PDP: Policy Decision Point, as defined in XACML standard.
  • PAP: Policy Administration Point, as defined in XACML standard.

Project description

This project provides an Authorizer implementation for Apache Kafka that extends the Kafa's default authorizer (kafka.security.auth.SimpleAclAuthorizer) to enable getting XACML authorization decisions from a XACML-enabled PDP's REST API as well, according to the REST Profile of XACML 3.0. AuthzForce Server and AuthzForce RESTful PDP both provide such REST API. Usually, the latter is enough for simple use cases, unless you need a PAP API, multi-tenancy, etc. in which case AuthzForce Server is a better fit (see the documentation for the full list of features)

In other terms, you can still use Kafka ACLs with this same authorizer as you would with the default one. XACML evaluation must be enabled explicitly by setting specific properties as described later below. XACML evaluation here stands for the extra process of getting a XACML authorization decision from a remote PDP according to the REST Profile of XACML 3.0.

The authorizer combines Kafka ACL evaluation with XACML evaluation as follows:

  • If ACL evaluation returns Permit, return Permit.
  • Else:
    • If XACML evaluation is disabled, return Deny.
    • Else: If and only if the result of XACML evaluation is Permit, return Permit.

Installation

Get the tar.gz distribution from the latest release on the GitHub repository and extract the files to some folder, e.g. /opt/authzforce-ce-kafka-extensions. You should have a lib folder inside.

Configuration

To enable the authorizer on Kafka, set the server's property:

authorizer.class.name=org.ow2.authzforce.kafka.pep.CombinedXacmlAclAuthorizer

To enable XACML evaluation, set the extra following authorizer properties:

  • org.ow2.authzforce.kafka.pep.xacml.pdp.url: XACML PDP resource's URL, as defined by REST Profile of XACML 3.0, §2.2.2, e.g. https://serverhostname/services/pdp for a AuthzForce RESTful PDP instance, or https://serverhostname/authzforce-ce/domains/XXX/pdp for a domain XXX on a AuthzForce Server instance.
  • org.ow2.authzforce.kafka.pep.http.client.cfg.location: location (URL supported by Spring {@link org.springframework.util.ResourceUtils}) of the HTTP client configuration as defined by Apache CXF format, required for SSL settings
  • org.ow2.authzforce.kafka.pep.authz.cache.size.max: maximum number of authorization decisions cached in memory (performance optimization). Cache disabled iff not strictly positive integer. If cache enabled and an access request matches a previous one in cache, the corresponding decision is retrieved from cache directly (no decision evaluation).
  • org.ow2.authzforce.kafka.pep.xacml.req.tmpl.location: location of a file that contains a Freemarker template of XACML Request formatted according to JSON Profile of XACML 3.0, in which you can use Freemarker expressions, enclosed between ${ and }, and have access to the following top-level variables from Kafka's authorization context:
Variable name Variable type Description
clientHost java.net.InetAddress client/user host name or IP address
principal org.apache.kafka.common.security.auth.KafkaPrincipal user principal
operation org.apache.kafka.common.acl.AclOperation operation
resourceType org.apache.kafka.common.resource.ResourceType resource type
resourceName String resource name

For an example of XACML Request template, see the file request.xacml.json.ftl in the source or in the same folder as this README if part of a release package (tar.gz). This example should be sufficient for most cases.

Starting Kafka

Make sure Zookeeper is started first:

~/DRIVER+/kafka_2.11-1.1.0$ bin/zookeeper-server-start.sh config/zookeeper.properties

Add the all JARs in the lib folder extracted earlier (Installation section) to the CLASSPATH environment variable before starting Kafka, for example:

~/DRIVER+/kafka_2.11-1.1.0$ CLASSPATH=/opt/authzforce-ce-kafka-extensions/lib/* bin/kafka-server-start.sh config/server.properties

Known issue

Group-based permission ineffective for topic metadata/offset access control

When calling poll(...) method, Java KafkaConsumers use DESCRIBE operation on topics to fetch topic metadata, before joining their consumer group (READ GROUP X) and reading topic data. Therefore, the Authorizer is unable to know the consumer group ID at this point. So group-based permissions cannot be used for topic metadata access control.

See issue #7.

About

Apache Kafka Authorizer (KIP-11) supporting both Kafka ACL and XACML (ABAC) policy evaluation

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published