+1 I think this proposal makes sense, given that the AuthorizationProvider interface already has dynamic methods for "isSuperUser" and "isTenantAdmin". Further, the AuthorizationService class already contains a method called "isProxyRole", which would likely be replaced as part of this PIP.
- Michael On Tue, Aug 24, 2021 at 1:26 PM Chris Kellogg <cckell...@gmail.com> wrote: > I would like to propose adding support for dynamic proxy roles. Currently, > the only way to provide proxy roles is through the broker.conf file. This > makes it challenging to automate cluster provisioning. Additionally, the > hardcoding of the proxy roles in the broker.conf makes it difficult to > revoke access to a proxy if that is needed. > > All other permissions (except the proxy role) can be dynamically determined > through the Authorization framework (AuthorizationProvider interface). I > propose adding a new method to the AuthorizationProvider to check whether > or not a principal has the proxy role. This check would be similar to the > isSuperUser method. This new method would allow custom authorization > plugins to provide dynamic proxy roles and avoid having to hardcode them in > the broker.conf file. The default implementation of this new method would > use the list from the broker.conf file so the default behavior for proxy > roles will not change. > > If there is interest in this I can put up a formal PIP. > > Thoughts? >
