Chapter 23. KafkaAuthorizationKeycloak schema reference
Used in: KafkaClusterSpec
The type property is a discriminator that distinguishes use of the KafkaAuthorizationKeycloak type from KafkaAuthorizationSimple, KafkaAuthorizationOpa, KafkaAuthorizationCustom. It must have the value keycloak for the type KafkaAuthorizationKeycloak.
| Property | Property type | Description |
|---|---|---|
| type | string |
Must be |
| clientId | string | OAuth Client ID which the Kafka client can use to authenticate against the OAuth server and use the token endpoint URI. |
| tokenEndpointUri | string | Authorization server token endpoint URI. |
| tlsTrustedCertificates |
| Trusted certificates for TLS connection to the OAuth server. |
| disableTlsHostnameVerification | boolean |
Enable or disable TLS hostname verification. Default value is |
| delegateToKafkaAcls | boolean |
Whether authorization decision should be delegated to the 'Simple' authorizer if DENIED by Red Hat Single Sign-On Authorization Services policies. Default value is |
| grantsRefreshPeriodSeconds | integer | The time between two consecutive grants refresh runs in seconds. The default value is 60. |
| grantsRefreshPoolSize | integer | The number of threads to use to refresh grants for active sessions. The more threads, the more parallelism, so the sooner the job completes. However, using more threads places a heavier load on the authorization server. The default value is 5. |
| grantsGcPeriodSeconds | integer | The time, in seconds, between consecutive runs of a job that cleans stale grants from the cache. The default value is 300. |
| grantsAlwaysLatest | boolean |
Controls whether the latest grants are fetched for a new session. When enabled, grants are retrieved from Red Hat Single Sign-On and cached for the user. The default value is |
| superUsers | string array | List of super users. Should contain list of user principals which should get unlimited access rights. |
| connectTimeoutSeconds | integer | The connect timeout in seconds when connecting to authorization server. If not set, the effective connect timeout is 60 seconds. |
| readTimeoutSeconds | integer | The read timeout in seconds when connecting to authorization server. If not set, the effective read timeout is 60 seconds. |
| httpRetries | integer | The maximum number of retries to attempt if an initial HTTP request fails. If not set, the default is to not attempt any retries. |
| enableMetrics | boolean |
Enable or disable OAuth metrics. The default value is |
| includeAcceptHeader | boolean |
Whether the Accept header should be set in requests to the authorization servers. The default value is |
| grantsMaxIdleTimeSeconds | integer | The time, in seconds, after which an idle grant can be evicted from the cache. The default value is 300. |
