使用OAUTH2保护单个kafka主题 [英] Using OAUTH2 to secure individual kafka topics
问题描述
对于大型的Kafka实现,我需要能够按主题实现安全性(更具体地说是授权).理想情况下,我想使用OAUTH2(client_credentials流),但是从阅读文档(Confluent和Apache,以及第三方供应商)来看,似乎只能在全局范围内进行主题授权.换句话说,Kafka OAUTH2安全性在其配置中使用单个作用域,该作用域是访问任何/所有主题所必需的.相反,我要求为每个单独的主题应用不同的范围来授权.
I need to be able to implement security (more specifically authorization) on a per topic basis for a large Kafka implementation. Ideally, I would like to use OAUTH2 (client_credentials flow), however from reading the documentation (Confluent and Apache, and third party vendors) it appears that the authorization for topics can only be done globally. In other words, Kafka OAUTH2 security uses a single scope in its configuration which is required to access any/all topics. Rather I require different scopes applied for authorization for each individual topic.
是否有记录的方法来执行此操作(也许我在Kafka文档中错过了此方法),还是有第三方对此进行了开箱即用?
Is there a documented way of doing this (perhaps I missed it in the Kafka documentation) or is there a third party that does this out of the box?
另一种方法是,我可以在主题前面配置微服务外观(即,在使用或发布消息之前,在微服务中进行OAUTH2范围验证).这是一个合理的方法吗?
An an alternative, I am able to configure a microservice facade in front of topics (ie. OAUTH2 scope verification occurs in the microservice prior to consuming or publishing a message). Is this a reasonable approach?
推荐答案
这听起来很可能,但是您需要实现一些事情:
It all sounds possible but you'll need to implement a few things:
-
自定义授权人
Custom Authorizer
授权逻辑可通过 authorizer.class.name 设置,它允许您提供
The authorization logic is pluggable via the authorizer.class.name setting and it allows you to provide an implementation of the Authorizer interface.
当Kafka处理请求时,将调用此类,请参见 http://kafka.apache.org/documentation/#operations_resources_and_protocols 进行细分.
This class will be invoked when Kafka handles requests, see http://kafka.apache.org/documentation/#operations_resources_and_protocols for the breakdown.
在该类中,您可以使用要执行授权的任何逻辑.提供给您 Principal 来描述用户和检查权限列表.
Within this class you can use whatever logic you want to perform the authorization. You are provided with the Principal describing the user and the list of permissions to check.
自定义OAuth回调/主体构建器
Custom OAuth callback/Principal Builder
不能完全确定内置OAuth身份验证器可以实现的功能.如果它不能处理多个范围,则需要实现自己的
Not entirely sure what's possible with the built-in OAuth authenticator. If it does not handle multiple scopes, you'll need to implement your own AuthenticateCallbackHandler. If you want to have the scopes usable in the Authorizer, you'll probably also need a custom KafkaPrincipalBuilder, so scopes are stored in the Principal.
这些是高级指南,因为考虑到这需要许多自定义部分,因此很难对其进行更详细的介绍.希望这足以让您知道该怎么做.
These are high level guidelines, as it's hard to be more detailed considering this requires a number of custom parts. Hopefully that's enough to give you an idea of what to do.
这篇关于使用OAUTH2保护单个kafka主题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
