Skip to content
/ auth-for-apache-kafka Public

Aiven Authentication and Authorization Plugins for Apache Kafka®

License

Apache-2.0 license
2 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Aiven-Open/auth-for-apache-kafka

BranchesTags

Repository files navigation

Aiven Authentication and Authorization Plugins for Apache Kafka®

AivenAclAuthorizer

Aiven ACL authorizer. Implements ACL controls using JSON configuration file. Config file is watched for modifications and reloaded as necessary.

AivenAclEntry

Class implementing a single ACL entry verification. Principal, operation and resource are expressed as regular expressions.

Alternatively to straight regular expression for resource, AivenAclEntry can be given a resource pattern with back references to principal regex. This is used internally in Aiven to map project id from certificate subject into project specific management topics. We can thus avoid encoding separate rules for each project.

Permission type allows to define the verification result in case of an ACL match. By default, the permission type is ALLOW.

Example

[
    {
        "operation": "^(.*)$",
        "principal": (
            "^CN=(?<vmname>[a-z0-9-]+),OU=(?<nodeid>n[0-9]+),"
            "O=00000000-0000-a000-1000-(500000000005|a00000000001|b00000000001|d00000000001),ST=vm$"
        ),
        "principal_type": "Prune",
        "host": "*",
        "resource": "^(.*)$",
    },
    {
        "operation": "^(Describe|DescribeConfigs|Read|Write)$",
        "principal": "^CN=(?<vmname>[a-z0-9-]+),OU=(?<nodeid>n[0-9]+),O=(?<projectid>[a-f0-9-]+),ST=vm$",
        "principal_type": "Prune",
        "host": "*",
        "resource_pattern": "^Topic:${projectid}-(.*),
        "permission_type": "DENY"
    }
]

AivenKafkaPrincipalBuilder

Maps SSL Certificates to username principals. This allows us to utilize the same ACL rules regardless whether the authentication is done with SASL or certificates.

Configuration is done via a JSON config file.

AivenKafkaPrincipalMappingEntry

Class implementing a single mapping entry.

Takes a regular expression for capturing subject line.

Can be given optional principal argument to be used instead for the principal. If not given, the original certificate subject is retained.

Optional principal type can be given. This is useful in e.g. segregating normal users and system users into separate namespace.

Example

[
    {
        "subject_matcher": f"^CN=user,O=Aiven$",
        "principal_name": "username",
        "principal_type": "User",
    },
    {
        "subject_matcher": "^(.*),ST=service$",
        "principal_type": "Service",
    }
]

Trademarks

Apache Kafka is either a registered trademark or a trademark of the Apache Software Foundation in the United States and/or other countries.

About

Aiven Authentication and Authorization Plugins for Apache Kafka®

Topics

kafka authentication authorization aiven

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

67 watching

Forks

3 forks
Report repository

Releases 16

v4.5.0 Latest
Oct 16, 2024
+ 15 releases

Packages

No packages published

Contributors 21

+ 7 contributors

Languages