Class KafkaPrincipal

  • All Implemented Interfaces:
    Principal

    public class KafkaPrincipal
    extends Object
    implements Principal

    Principals in Kafka are defined by a type and a name. The principal type will always be "User" for the simple authorizer that is enabled by default, but custom authorizers can leverage different principal types (such as to enable group or role-based ACLs). The KafkaPrincipalBuilder interface is used when you need to derive a different principal type from the authentication context, or when you need to represent relations between different principals. For example, you could extend KafkaPrincipal in order to link a user principal to one or more role principals.

    For custom extensions of KafkaPrincipal, there two key points to keep in mind:

    1. To be compatible with the ACL APIs provided by Kafka (including the command line tool), each ACL can only represent a permission granted to a single principal (consisting of a principal type and name). It is possible to use richer ACL semantics, but you must implement your own mechanisms for adding and removing ACLs.
    2. In general, KafkaPrincipal extensions are only useful when the corresponding Authorizer is also aware of the extension. If you have a KafkaPrincipalBuilder which derives user groups from the authentication context (e.g. from an SSL client certificate), then you need a custom authorizer which is capable of using the additional group information.