홈
제품
Streams for Apache Kafka
2.5
AMQ Streams API Reference
Chapter 22. KafkaAuthorizationOpa schema reference

Chapter 22. KafkaAuthorizationOpa schema reference

Used in: KafkaClusterSpec

Full list of KafkaAuthorizationOpa schema properties

To use Open Policy Agent authorization, set the type property in the authorization section to the value opa, and configure OPA properties as required. AMQ Streams uses Open Policy Agent plugin for Kafka authorization as the authorizer. For more information about the format of the input data and policy examples, see Open Policy Agent plugin for Kafka authorization.

22.1. url
링크 복사

The URL used to connect to the Open Policy Agent server. The URL has to include the policy which will be queried by the authorizer. Required.

22.2. allowOnError
링크 복사

Defines whether a Kafka client should be allowed or denied by default when the authorizer fails to query the Open Policy Agent, for example, when it is temporarily unavailable. Defaults to false - all actions will be denied.

22.3. initialCacheCapacity
링크 복사

Initial capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request. Defaults to 5000.

22.4. maximumCacheSize
링크 복사

Maximum capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request. Defaults to 50000.

22.5. expireAfterMs
링크 복사

The expiration of the records kept in the local cache to avoid querying the Open Policy Agent for every request. Defines how often the cached authorization decisions are reloaded from the Open Policy Agent server. In milliseconds. Defaults to 3600000 milliseconds (1 hour).

22.6. tlsTrustedCertificates
링크 복사

Trusted certificates for TLS connection to the OPA server.

22.7. superUsers
링크 복사

A list of user principals treated as super users, so that they are always allowed without querying the open Policy Agent policy.

An example of Open Policy Agent authorizer configuration

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: my-cluster
  namespace: myproject
spec:
  kafka:
    # ...
    authorization:
      type: opa
      url: http://opa:8181/v1/data/kafka/allow
      allowOnError: false
      initialCacheCapacity: 1000
      maximumCacheSize: 10000
      expireAfterMs: 60000
      superUsers:
        - CN=fred
        - sam
        - CN=edward
    # ...

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: my-cluster
  namespace: myproject
spec:
  kafka:
    # ...
    authorization:
      type: opa
      url: http://opa:8181/v1/data/kafka/allow
      allowOnError: false
      initialCacheCapacity: 1000
      maximumCacheSize: 10000
      expireAfterMs: 60000
      superUsers:
        - CN=fred
        - sam
        - CN=edward
    # ...

Copy to Clipboard

Toggle word wrap

22.8. KafkaAuthorizationOpa schema properties
링크 복사

The type property is a discriminator that distinguishes use of the KafkaAuthorizationOpa type from KafkaAuthorizationSimple, KafkaAuthorizationKeycloak, KafkaAuthorizationCustom. It must have the value opa for the type KafkaAuthorizationOpa.

Expand

Property	Description
type	Must be `opa`.
string	Must be `opa`.
url	The URL used to connect to the Open Policy Agent server. The URL has to include the policy which will be queried by the authorizer. This option is required.
string
allowOnError	Defines whether a Kafka client should be allowed or denied by default when the authorizer fails to query the Open Policy Agent, for example, when it is temporarily unavailable). Defaults to `false` - all actions will be denied.
boolean
initialCacheCapacity	Initial capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request Defaults to `5000`.
integer
maximumCacheSize	Maximum capacity of the local cache used by the authorizer to avoid querying the Open Policy Agent for every request. Defaults to `50000`.
integer
expireAfterMs	The expiration of the records kept in the local cache to avoid querying the Open Policy Agent for every request. Defines how often the cached authorization decisions are reloaded from the Open Policy Agent server. In milliseconds. Defaults to `3600000`.
integer
tlsTrustedCertificates	Trusted certificates for TLS connection to the OPA server.
`CertSecretSource` array	Trusted certificates for TLS connection to the OPA server.
superUsers	List of super users, which is specifically a list of user principals that have unlimited access rights.
string array
enableMetrics	Defines whether the Open Policy Agent authorizer plugin should provide metrics. Defaults to `false`.
boolean

Chapter 22. KafkaAuthorizationOpa schema reference

22.1. url
링크 복사

22.2. allowOnError
링크 복사

22.3. initialCacheCapacity
링크 복사

22.4. maximumCacheSize
링크 복사

22.5. expireAfterMs
링크 복사

22.6. tlsTrustedCertificates
링크 복사

22.7. superUsers
링크 복사

22.8. KafkaAuthorizationOpa schema properties
링크 복사

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Chapter 22. KafkaAuthorizationOpa schema reference

22.1. url링크 복사링크가 클립보드에 복사되었습니다!

22.2. allowOnError링크 복사링크가 클립보드에 복사되었습니다!

22.3. initialCacheCapacity링크 복사링크가 클립보드에 복사되었습니다!

22.4. maximumCacheSize링크 복사링크가 클립보드에 복사되었습니다!

22.5. expireAfterMs링크 복사링크가 클립보드에 복사되었습니다!

22.6. tlsTrustedCertificates링크 복사링크가 클립보드에 복사되었습니다!

22.7. superUsers링크 복사링크가 클립보드에 복사되었습니다!

22.8. KafkaAuthorizationOpa schema properties링크 복사링크가 클립보드에 복사되었습니다!

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat 소개

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

22.1. url
링크 복사

22.2. allowOnError
링크 복사

22.3. initialCacheCapacity
링크 복사

22.4. maximumCacheSize
링크 복사

22.5. expireAfterMs
링크 복사

22.6. tlsTrustedCertificates
링크 복사

22.7. superUsers
링크 복사

22.8. KafkaAuthorizationOpa schema properties
링크 복사