Jeremy Whitlock created KAFKA-13363:
---------------------------------------
Summary: Add support for asynchronous authorization
Key: KAFKA-13363
URL: https://issues.apache.org/jira/browse/KAFKA-13363
Project: Kafka
Issue Type: Improvement
Components: security
Reporter: Jeremy Whitlock
In KIP-504 there was mention to [Make authorize()
asynchronous|https://cwiki.apache.org/confluence/display/KAFKA/KIP-504+-+Add+new+Java+Authorizer+Interface#KIP504AddnewJavaAuthorizerInterface-Makeauthorize()asynchronous],
saying _"In future, we can add async authorize as a new method on the API if
required."_ Many high-performance systems out there (_Envoy, Kubernetes, ...)_
have external authorization mechanisms and I think it would be nice if Kafka
did the same. I am currently working on a Kafka integration, basically custom
authn/authz modules that work with Apigee/Google, and the lack of asynchronous
authorization makes the ideal approach impossible. _(Ideally, an asynchronous
authorize() would consult Apigee/Google and let the thirdparty dictate what
rules it enforced instead of expecting Kafka to do this, or having to drive
Kafka's users/ACLs to perform only some of the authorization needs.)_
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
