Red Hat SummitChapter 22. KafkaAuthorizationOpa schema reference
The type KafkaAuthorizationOpa has been deprecated. Please use KafkaAuthorizationCustom instead.
Used in: KafkaClusterSpec
Full list of KafkaAuthorizationOpa schema properties
Configures the Kafka custom resource to use Open Policy Agent authorization.
To use Open Policy Agent authorization, set the type property in the authorization section to the value opa, and configure OPA properties as required. Streams for Apache Kafka uses the Open Policy Agent plugin for Kafka authorization as the authorizer. For more information about the format of the input data and policy examples, see Open Policy Agent plugin for Kafka authorization.
The type: opa authorization is now deprecated and will be removed in the future. If you want to use the Open Policy Agent authorizer, you should use the type: custom authorization.
Example Open Policy Agent authorizer configuration using the type: custom API
apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
name: my-cluster
annotations:
strimzi.io/node-pools: enabled
strimzi.io/kraft: enabled
namespace: myproject
spec:
kafka:
# ...
authorization:
type: custom
authorizerClass: org.openpolicyagent.kafka.OpaAuthorizer
superUsers:
- CN=user-1
- user-2
- CN=user-3
config:
# OPA authorization options
opa.authorizer.url: http://opa:8181/v1/data/kafka/allow
opa.authorizer.cache.expire.after.seconds: 60
opa.authorizer.allow.on.error: false
opa.authorizer.cache.initial.capacity: 1000
opa.authorizer.cache.maximum.size: 10000
# ...22.1. KafkaAuthorizationOpa schema properties
The type property is a discriminator that distinguishes use of the KafkaAuthorizationOpa type from KafkaAuthorizationSimple, KafkaAuthorizationKeycloak, KafkaAuthorizationCustom. It must have the value opa for the type KafkaAuthorizationOpa.
| Property | Property type | Description |
|---|---|---|
| type | string |
Must be |
| url | string | The URL used to connect to the Open Policy Agent server. The URL has to include the policy which will be queried by the authorizer. This option is required. |
| allowOnError | boolean |
Defines whether a Kafka client should be allowed or denied by default when the authorizer fails to query the Open Policy Agent, for example, when it is temporarily unavailable). Defaults to |
| initialCacheCapacity | integer |
Initial capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request Defaults to |
| maximumCacheSize | integer |
Maximum capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request. Defaults to |
| expireAfterMs | integer |
The expiration of the records kept in the local cache to avoid querying the Open Policy Agent for every request. Defines how often the cached authorization decisions are reloaded from the Open Policy Agent server. In milliseconds. Defaults to |
| tlsTrustedCertificates |
| Trusted certificates for TLS connection to the OPA server. |
| superUsers | string array | List of super users, which is specifically a list of user principals that have unlimited access rights. |
| enableMetrics | boolean |
Defines whether the Open Policy Agent authorizer plugin should provide metrics. Defaults to |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}