Chapter 24. KafkaAuthorizationCustom schema reference
Used in: KafkaClusterSpec
Full list of KafkaAuthorizationCustom
schema properties
To use custom authorization in Streams for Apache Kafka, you can configure your own Authorizer
plugin to define Access Control Lists (ACLs).
ACLs allow you to define which users have access to which resources at a granular level.
Configure the Kafka
custom resource to use custom authorization. Set the type
property in the authorization
section to the value custom
, and configure a list of super users.
The custom authorizer must implement the org.apache.kafka.server.authorizer.Authorizer
interface, and support configuration of super users using the super.users
configuration property.
24.1. authorizerClass
(Required) Java class that implements the org.apache.kafka.server.authorizer.Authorizer
interface to support custom ACLs.
24.2. superUsers
A list of user principals treated as super users, so that they are always allowed without querying ACL rules.
The super.user
configuration option in the config
property in Kafka.spec.kafka
is ignored. Designate super users in the authorization
property instead. For more information, see Kafka broker configuration.
24.3. Additional configuration options
You can add additional configuration for initializing the custom authorizer using Kafka.spec.kafka.config
.
An example of custom authorization configuration under Kafka.spec
apiVersion: kafka.strimzi.io/v1beta2 kind: Kafka metadata: name: my-cluster namespace: myproject spec: kafka: # ... authorization: type: custom authorizerClass: io.mycompany.CustomAuthorizer superUsers: - CN=client_1 - user_2 - CN=client_3 # ... config: authorization.custom.property1=value1 authorization.custom.property2=value2 # ...
24.4. Adding custom authorizer JAR files to the container image
In addition to the Kafka
custom resource configuration, the JAR files containing the custom authorizer class along with its dependencies must be available on the classpath of the Kafka broker.
You can add them by building Streams for Apache Kafka from the source-code. The Streams for Apache Kafka build process provides a mechanism to add custom third-party libraries to the generated Kafka broker container image by adding them as dependencies in the pom.xml
file under the docker-images/artifacts/kafka-thirdparty-libs
directory. The directory contains different folders for different Kafka versions. Choose the appropriate folder. Before modifying the pom.xml
file, the third-party library must be available in a Maven repository, and that Maven repository must be accessible to the Streams for Apache Kafka build process.
Alternatively, you can add the JARs to an existing Streams for Apache Kafka container image:
FROM registry.redhat.io/amq-streams/kafka-37-rhel9:2.7.0
USER root:root
COPY ./my-authorizer/ /opt/kafka/libs/
USER 1001
24.5. Using custom authorizers with OAuth authentication
When using oauth
authentication with a groupsClaim
configuration to extract user group information from JWT tokens, group information can be used in custom authorization calls. Groups are accessible through the OAuthKafkaPrincipal
object during custom authorization calls, as follows:
public List<AuthorizationResult> authorize(AuthorizableRequestContext requestContext, List<Action> actions) { KafkaPrincipal principal = requestContext.principal(); if (principal instanceof OAuthKafkaPrincipal) { OAuthKafkaPrincipal p = (OAuthKafkaPrincipal) principal; for (String group: p.getGroups()) { System.out.println("Group: " + group); } } }
24.6. KafkaAuthorizationCustom
schema properties
The type
property is a discriminator that distinguishes use of the KafkaAuthorizationCustom
type from KafkaAuthorizationSimple
, KafkaAuthorizationOpa
, KafkaAuthorizationKeycloak
. It must have the value custom
for the type KafkaAuthorizationCustom
.
Property | Property type | Description |
---|---|---|
type | string |
Must be |
authorizerClass | string | Authorization implementation class, which must be available in classpath. |
superUsers | string array | List of super users, which are user principals with unlimited access rights. |
supportsAdminApi | boolean |
Indicates whether the custom authorizer supports the APIs for managing ACLs using the Kafka Admin API. Defaults to |