[
https://issues.apache.org/jira/browse/KAFKA-7617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16704458#comment-16704458
]
ASF GitHub Bot commented on KAFKA-7617:
---
omkreddy closed pull request #5906: KAFKA-7617: Add authorization primitives to
security page
URL: https://github.com/apache/kafka/pull/5906
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/docs/security.html b/docs/security.html
index 5f6d0aceb8e..28c506c7c0e 100644
--- a/docs/security.html
+++ b/docs/security.html
@@ -1258,6 +1258,450 @@ Examples
+Authorization Primitives
+Protocol calls are usually performing some operations on certain
resources in Kafka. It is required to know the
+operations and resources to set up effective protection. In this
section we'll list these operations and
+resources, then list the combination of these with the protocols to
see the valid scenarios.
+Operations in
Kafka
+There are a few operation primitives that can be used to build up
privileges. These can be matched up with
+certain resources to allow specific protocol calls for a given user.
These are:
+
+Read
+Write
+Create
+Delete
+Alter
+Describe
+ClusterAction
+DescribeConfigs
+AlterConfigs
+IdempotentWrite
+All
+
+Resources in
Kafka
+The operations above can be applied on certain resources which are
described below.
+
+Topic: this simply represents a Topic. All protocol calls
that are acting on topics (such as reading,
+writing them) require the corresponding privilege to be added. If
there is an authorization error with a
+topic resource, then a TOPIC_AUTHORIZATION_FAILED (error code: 29)
will be returned.
+Group: this represents the consumer groups in the brokers.
All protocol calls that are working with
+consumer groups, like joining a group must have privileges with
the group in subject. If the privilege is not
+given then a GROUP_AUTHORIZATION_FAILED (error code: 30) will be
returned in the protocol response.
+Cluster: this resource represents the cluster. Operations
that are affecting the whole cluster, like
+controlled shutdown are protected by privileges on the Cluster
resource. If there is an authorization problem
+on a cluster resource, then a CLUSTER_AUTHORIZATION_FAILED (error
code: 31) will be returned.
+TransactionalId: this resource represents actions related
to transactions, such as committing.
+If any error occurs, then a TRANSACTIONAL_ID_AUTHORIZATION_FAILED
(error code: 53) will be returned by brokers.
+DelegationToken: this represents the delegation tokens in
the cluster. Actions, such as describing
+delegation tokens could be protected by a privilege on the
DelegationToken resource. Since these objects have
+a little special behavior in Kafka it is recommended to read
+https://cwiki.apache.org/confluence/display/KAFKA/KIP-48+Delegation+token+support+for+Kafka#KIP-48DelegationtokensupportforKafka-DescribeDelegationTokenRequest;>KIP-48
+and the related upstream documentation at Authentication using Delegation
Tokens.
+
+Operations and Resources on
Protocols
+In the below table we'll list the valid operations on resources that
are executed by the Kafka API protocols.
+
+
+
+Protocol (API key)
+Operation
+Resource
+Note
+
+
+
+
+PRODUCE (0)
+Write
+TransactionalId
+An transactional producer which has its transactional.id set
requires this privilege.
+
+
+PRODUCE (0)
+IdempotentWrite
+Cluster
+An idempotent produce action requires this privilege.
+
+
+PRODUCE (0)
+Write
+Topic
+This applies to a normal produce action.
+
+
+FETCH (1)
+ClusterAction
+Cluster
+A follower must have ClusterAction on the Cluster resource in
order to fetch partition data.
+
+
+FETCH (1)
+Read
+Topic
+Regular Kafka consumers need READ permission on each partition
they are fetching.
+
+
+LIST_OFFSETS (2)
+Describe
+Topic
+
+
+
+METADATA (3)
+Describe
+Topic
+
+