{"id":19693838,"url":"https://github.com/aiven-open/auth-for-apache-kafka","last_synced_at":"2025-08-18T15:07:50.283Z","repository":{"id":39261915,"uuid":"192094965","full_name":"Aiven-Open/auth-for-apache-kafka","owner":"Aiven-Open","description":"Aiven Authentication and Authorization Plugins for Apache Kafka®","archived":false,"fork":false,"pushed_at":"2025-07-01T11:12:14.000Z","size":741,"stargazers_count":2,"open_issues_count":2,"forks_count":4,"subscribers_count":60,"default_branch":"main","last_synced_at":"2025-07-01T11:46:20.657Z","etag":null,"topics":["aiven","authentication","authorization","kafka"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Aiven-Open.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2019-06-15T15:35:25.000Z","updated_at":"2025-07-01T11:12:16.000Z","dependencies_parsed_at":"2023-07-26T10:48:55.384Z","dependency_job_id":"ffd44f24-1713-47ee-bf56-eefa087573f4","html_url":"https://github.com/Aiven-Open/auth-for-apache-kafka","commit_stats":null,"previous_names":["aiven-open/auth-for-apache-kafka"],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/Aiven-Open/auth-for-apache-kafka","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fauth-for-apache-kafka","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fauth-for-apache-kafka/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fauth-for-apache-kafka/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fauth-for-apache-kafka/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Aiven-Open","download_url":"https://codeload.github.com/Aiven-Open/auth-for-apache-kafka/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Aiven-Open%2Fauth-for-apache-kafka/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":271012232,"owners_count":24684508,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-18T02:00:08.743Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["aiven","authentication","authorization","kafka"],"created_at":"2024-11-11T19:18:22.316Z","updated_at":"2025-08-18T15:07:50.258Z","avatar_url":"https://github.com/Aiven-Open.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Aiven Authentication and Authorization Plugins for Apache Kafka®\n\n## AivenAclAuthorizer\n\nAiven ACL authorizer. Implements ACL controls using JSON configuration file.\nConfig file is watched for modifications and reloaded as necessary.\n\n### AivenAclEntry\n\nClass implementing a single ACL entry verification. Principal and\nresource are expressed as regular expressions.\n\nAlternatively to straight regular expression for resource, AivenAclEntry can\nbe given a resource pattern with back references to principal regex, a literal\nmatch or a prefixed match. The first is used internally in Aiven to map project\nid from certificate subject into project specific management topics. We can thus\navoid encoding separate rules for each project. Literal and prefixed matchers\nwork as defined in the Apache Kafka documentation. Only one resource matcher can be\nspecified per acl.\n\nOperations can be expressed as a list of operation names, or in deprecated mode\nas regular expression in `operation` field.  If both are defined, `operations`\ntakes precedence.  For operations listed with operation names, also implicit Decribe\nis supported if Read, Write, Alter, or Delete is allowed, and implicit\nDescribeConfigs if AlterConfigs is allowed.\n\nPermission type allows to define the verification result in case of an ACL match.\nBy default, the permission type is `ALLOW`.\n\nA specific ACL entry can be hidden from public listing by setting hidden flag.\n\n### Example\n\n    [\n        {\n            \"operations\": [\"All\"],\n            \"principal\": (\n                \"^CN=(?\u003cvmname\u003e[a-z0-9-]+),OU=(?\u003cnodeid\u003en[0-9]+),\"\n                \"O=00000000-0000-a000-1000-(500000000005|a00000000001|b00000000001|d00000000001),ST=vm$\"\n            ),\n            \"principal_type\": \"Prune\",\n            \"host\": \"*\",\n            \"resource\": \"^(.*)$\",\n            \"hidden\": true\n        },\n        {\n            \"operations\": [\"Describe\", \"DescribeConfigs\", \"Read\", \"Write\"],\n            \"operation\": \"^(Describe|DescribeConfigs|Read|Write)$\",\n            \"principal\": \"^CN=(?\u003cvmname\u003e[a-z0-9-]+),OU=(?\u003cnodeid\u003en[0-9]+),O=(?\u003cprojectid\u003e[a-f0-9-]+),ST=vm$\",\n            \"principal_type\": \"Prune\",\n            \"host\": \"*\",\n            \"resource_pattern\": \"^Topic:${projectid}-(.*),\n            \"permission_type\": \"DENY\"\n        }\n    ]\n\n## AivenKafkaPrincipalBuilder\n\nMaps SSL Certificates to username principals. This allows us to utilize the\nsame ACL rules regardless whether the authentication is done with SASL or\ncertificates.\n\nConfiguration is done via a JSON config file.\n\n### AivenKafkaPrincipalMappingEntry\n\nClass implementing a single mapping entry.\n\nTakes a regular expression for capturing subject line.\n\nCan be given optional principal argument to be used instead for the principal.\nIf not given, the original certificate subject is retained.\n\nOptional principal type can be given. This is useful in e.g. segregating normal\nusers and system users into separate namespace.\n\n### Example\n\n    [\n        {\n            \"subject_matcher\": f\"^CN=user,O=Aiven$\",\n            \"principal_name\": \"username\",\n            \"principal_type\": \"User\",\n        },\n        {\n            \"subject_matcher\": \"^(.*),ST=service$\",\n            \"principal_type\": \"Service\",\n        }\n    ]\n\n## Trademarks\n\nApache Kafka is either a registered trademark or a trademark of the Apache Software Foundation in the United States and/or other countries.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faiven-open%2Fauth-for-apache-kafka","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faiven-open%2Fauth-for-apache-kafka","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faiven-open%2Fauth-for-apache-kafka/lists"}