- Broker creates authorizer instance if configured in `authorizer.class.name`.
- Broker configures and starts authorizer instance. Authorizer implementation starts loading its metadata.
- Broker starts SocketServer to accept connections and process requests.
- For each listener, SocketServer waits for authorization metadata to be available in the
authorizer before accepting connections. The future returned by
start(AuthorizerServerInfo)for each listener must return only when authorizer is ready to authorize requests on the listener.
- Broker accepts connections. For each connection, broker performs authentication and then accepts Kafka requests.
For each request, broker invokes
authorize(AuthorizableRequestContext, List)to authorize actions performed by the request.
to enable dynamic reconfiguration without restarting the broker.
- All authorizer operations including authorization and ACL updates must be thread-safe.
- ACL update methods are asynchronous. Implementations with low update latency may return a
completed future using
CompletableFuture.completedFuture(Object). This ensures that the request will be handled synchronously by the caller without using a purgatory to wait for the result. If ACL updates require remote communication which may block, return a future that is completed asynchronously when the remote operation completes. This enables the caller to process other requests on the request threads without blocking.
- Any threads or thread pools used for processing remote operations asynchronously can be started during
start(AuthorizerServerInfo). These threads must be shutdown during
Method SummaryModifier and TypeMethodDescription
aclCount()Get the current number of ACLs, for the purpose of metrics.Returns ACL bindings which match the provided filter.Authorizes the specified action.
(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType)Check if the caller is authorized to perform the given ACL operation on at least one resource of the given type.Creates new ACL bindings.Deletes all ACL bindings that match the provided filters.Starts loading authorization metadata and returns futures that can be used to wait until metadata for authorizing requests on each listener is available.
aclsReturns ACL bindings which match the provided filter.
This is a synchronous API designed for use with locally cached ACLs. This method is invoked on the request thread while processing DescribeAcls requests and should avoid time-consuming remote communication that may block request threads.
- Iterator for ACL bindings, which may be populated lazily.
aclCountdefault int aclCount()Get the current number of ACLs, for the purpose of metrics. Authorizers that don't implement this function will simply return -1.