使用 OAUTH2 保护单个 kafka 主题 [英] Using OAUTH2 to secure individual kafka topics

问题描述

对于大型 Kafka 实现，我需要能够在每个主题的基础上实现安全性(更具体地说是授权).理想情况下，我想使用 OAUTH2(client_credentials 流)，但是从阅读文档(Confluent 和 Apache 以及第三方供应商)看来，主题的授权只能在全局范围内完成.换句话说，Kafka OAUTH2 安全在其配置中使用单一范围，这是访问任何/所有主题所必需的.相反，我需要为每个单独的主题申请不同的授权范围.

I need to be able to implement security (more specifically authorization) on a per topic basis for a large Kafka implementation. Ideally, I would like to use OAUTH2 (client_credentials flow), however from reading the documentation (Confluent and Apache, and third party vendors) it appears that the authorization for topics can only be done globally. In other words, Kafka OAUTH2 security uses a single scope in its configuration which is required to access any/all topics. Rather I require different scopes applied for authorization for each individual topic.

是否有记录在案的方法(也许我在 Kafka 文档中遗漏了它)或者是否有第三方开箱即用?

Is there a documented way of doing this (perhaps I missed it in the Kafka documentation) or is there a third party that does this out of the box?

另一种方法，我可以在主题前配置微服务外观(即，在使用或发布消息之前，在微服务中进行 OAUTH2 范围验证).这是一个合理的方法吗?

An an alternative, I am able to configure a microservice facade in front of topics (ie. OAUTH2 scope verification occurs in the microservice prior to consuming or publishing a message). Is this a reasonable approach?

推荐答案

听起来一切皆有可能，但您需要实现以下几点:

It all sounds possible but you'll need to implement a few things:

• 自定义授权方

• Custom Authorizer

授权逻辑可通过authorizer.class.name 设置，它允许您提供 Authorizer 接口.

The authorization logic is pluggable via the authorizer.class.name setting and it allows you to provide an implementation of the Authorizer interface.

Kafka处理请求时会调用这个类，参见http://kafka.apache.org/documentation/#operations_resources_and_protocols 用于细分.

This class will be invoked when Kafka handles requests, see http://kafka.apache.org/documentation/#operations_resources_and_protocols for the breakdown.

在这个类中，您可以使用任何您想要执行授权的逻辑.您将获得描述用户的 Principal 和要检查的权限列表.

Within this class you can use whatever logic you want to perform the authorization. You are provided with the Principal describing the user and the list of permissions to check.

自定义 OAuth 回调/主体构建器

Custom OAuth callback/Principal Builder

不完全确定内置 OAuth 身份验证器有什么可能.如果它不处理多个范围，则需要实现自己的 AuthenticateCallbackHandler.如果您希望在 Authorizer 中使用范围，您可能还需要一个自定义的 KafkaPrincipalBuilder，因此范围存储在 Principal 中.

Not entirely sure what's possible with the built-in OAuth authenticator. If it does not handle multiple scopes, you'll need to implement your own AuthenticateCallbackHandler. If you want to have the scopes usable in the Authorizer, you'll probably also need a custom KafkaPrincipalBuilder, so scopes are stored in the Principal.

这些是高级指南，因为考虑到这需要许多自定义部件，因此很难更详细.希望这足以让您知道该怎么做.

These are high level guidelines, as it's hard to be more detailed considering this requires a number of custom parts. Hopefully that's enough to give you an idea of what to do.

这篇关于使用 OAUTH2 保护单个 kafka 主题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！