https://github.com/aiven-open/auth-for-apache-kafka
Aiven Authentication and Authorization Plugins for Apache Kafka®
https://github.com/aiven-open/auth-for-apache-kafka
aiven authentication authorization kafka
Last synced: 10 months ago
JSON representation
Aiven Authentication and Authorization Plugins for Apache Kafka®
- Host: GitHub
- URL: https://github.com/aiven-open/auth-for-apache-kafka
- Owner: Aiven-Open
- License: apache-2.0
- Created: 2019-06-15T15:35:25.000Z (about 7 years ago)
- Default Branch: main
- Last Pushed: 2025-07-01T11:12:14.000Z (12 months ago)
- Last Synced: 2025-07-01T11:46:20.657Z (12 months ago)
- Topics: aiven, authentication, authorization, kafka
- Language: Java
- Homepage:
- Size: 724 KB
- Stars: 2
- Watchers: 60
- Forks: 4
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Codeowners: .github/CODEOWNERS
- Security: SECURITY.md
Awesome Lists containing this project
README
# Aiven Authentication and Authorization Plugins for Apache Kafka®
## AivenAclAuthorizer
Aiven ACL authorizer. Implements ACL controls using JSON configuration file.
Config file is watched for modifications and reloaded as necessary.
### AivenAclEntry
Class implementing a single ACL entry verification. Principal and
resource are expressed as regular expressions.
Alternatively to straight regular expression for resource, AivenAclEntry can
be given a resource pattern with back references to principal regex, a literal
match or a prefixed match. The first is used internally in Aiven to map project
id from certificate subject into project specific management topics. We can thus
avoid encoding separate rules for each project. Literal and prefixed matchers
work as defined in the Apache Kafka documentation. Only one resource matcher can be
specified per acl.
Operations can be expressed as a list of operation names, or in deprecated mode
as regular expression in `operation` field. If both are defined, `operations`
takes precedence. For operations listed with operation names, also implicit Decribe
is supported if Read, Write, Alter, or Delete is allowed, and implicit
DescribeConfigs if AlterConfigs is allowed.
Permission type allows to define the verification result in case of an ACL match.
By default, the permission type is `ALLOW`.
A specific ACL entry can be hidden from public listing by setting hidden flag.
### Example
[
{
"operations": ["All"],
"principal": (
"^CN=(?[a-z0-9-]+),OU=(?n[0-9]+),"
"O=00000000-0000-a000-1000-(500000000005|a00000000001|b00000000001|d00000000001),ST=vm$"
),
"principal_type": "Prune",
"host": "*",
"resource": "^(.*)$",
"hidden": true
},
{
"operations": ["Describe", "DescribeConfigs", "Read", "Write"],
"operation": "^(Describe|DescribeConfigs|Read|Write)$",
"principal": "^CN=(?[a-z0-9-]+),OU=(?n[0-9]+),O=(?[a-f0-9-]+),ST=vm$",
"principal_type": "Prune",
"host": "*",
"resource_pattern": "^Topic:${projectid}-(.*),
"permission_type": "DENY"
}
]
## AivenKafkaPrincipalBuilder
Maps SSL Certificates to username principals. This allows us to utilize the
same ACL rules regardless whether the authentication is done with SASL or
certificates.
Configuration is done via a JSON config file.
### AivenKafkaPrincipalMappingEntry
Class implementing a single mapping entry.
Takes a regular expression for capturing subject line.
Can be given optional principal argument to be used instead for the principal.
If not given, the original certificate subject is retained.
Optional principal type can be given. This is useful in e.g. segregating normal
users and system users into separate namespace.
### Example
[
{
"subject_matcher": f"^CN=user,O=Aiven$",
"principal_name": "username",
"principal_type": "User",
},
{
"subject_matcher": "^(.*),ST=service$",
"principal_type": "Service",
}
]
## Trademarks
Apache Kafka is either a registered trademark or a trademark of the Apache Software Foundation in the United States and/or other countries.