Re: Is kafka support dynamic ACL rule

[ilter P <il...@gmail.com>]

Hi,

While creating the ACL you can do that however while Kafka authorizing it
does not support any REGEX for users
You have to create a new Authorizer class by extending Authorizer f.i
"SimpleAclAuthorizer.scala" ->
https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala

Then you can tell Kafka to use your authorizer from the server.properties
as:

authorizer.class.name=com.example.CustomAclAuthorizer


Then you can do any kind of authorization yourself

Regards



hui happy <ha...@gmail.com>, 27 Ara 2018 Per, 02:18 tarihinde şunu
yazdı:

> Hi
>
> As I learned that kafka can use  '--resource-pattern-type prefixed'  to add
> rule for prefixed topic.
> For example an user 'kafkaclient', we could define a rule let the user can
> access all topics start with that user name, i.e., 'kafkaclient--', such
> as  'kafkaclient--topic1', 'kafkaclient--topic2', etc.
>
> /opt/kafka/bin/kafka-acls.sh \
>
>   --authorizer-properties zookeeper.connect=zookeeper:2181 \
>
>   --add \
>
>   --allow-principal User:"kafkaclient" \
>
>   --operation All \
>
>   --resource-pattern-type prefixed \
>
>   --topic "kafkaclient--" \
>
>
> But is it possible to define dynamic user name ?
> In above case we know the username is 'kafkaclient', and if there are many
> other users, we have to add rule for each user; these rules are similar,
> except the user name.
>
> So i want to know if it's possible to just define a single rule, using
> dynamic user name, each user could access the topics start with itself
> username. something likes:
>
> /opt/kafka/bin/kafka-acls.sh \
>
>   --authorizer-properties zookeeper.connect=zookeeper:2181 \
>
>   --add \
>
>   --allow-principal User:"*<USER>*" \
>
>   --operation All \
>
>   --resource-pattern-type prefixed \
>
>   --topic "*<USER>*--" \
>
>
> Then whatever to add user or add topic later, we don't need to add any
> rules.
>
> Thanks.
> Hui
>