Adding authorization capabilities to Dr. Kafka to restrict privileged operations #143
Conversation
drkafka/src/main/java/com/pinterest/doctorkafka/config/DoctorKafkaConfig.java
Show resolved
Hide resolved
drkafka/src/main/java/com/pinterest/doctorkafka/security/DrKafkaSecurityContext.java
Outdated
Show resolved
Hide resolved
| */ | ||
| @Provider | ||
| @Priority(1000) | ||
| public class ExampleAuthorizationFilter implements DrKafkaAuthorizationFilter { |
There was a problem hiding this comment.
can this class be used by the users by default? if that is the cause, shall we call it DefaultAuthorizationFilter?
There was a problem hiding this comment.
It can't be used by default since it follows certain conventions, anyone attempting to enable authorization restrictions in Dr. Kafka needs to implement their own AuthorizationFilter since every environment is different as AuthorizationFilter's functionality is dependent on the Authentication mechanism used which varies based on environment and implementation (e.g. basic auth, kerberos, oauth etc.)
The purpose of providing this class is to share with users how they can potentially implement their own AuthorizationFilter.
This PR doesn't change the default behavior of Dr. Kafka which is currently is no authorization restriction.
There was a problem hiding this comment.
Could you explain the " certain conventions" in details in the comments, and how the users are configured? That will help the users to understand more about the sample authorization filter.
There was a problem hiding this comment.
Added the details in Dr. Kafka's docs https://github.com/pinterest/doctorkafka/pull/143/files#diff-ea40dcfd475c2164a28718b6d4c6d0ee
drkafka/src/main/java/com/pinterest/doctorkafka/security/ExampleAuthorizationFilter.java
Outdated
Show resolved
Hide resolved
| */ | ||
| @Provider | ||
| @Priority(1000) | ||
| public class ExampleAuthorizationFilter implements DrKafkaAuthorizationFilter { |
There was a problem hiding this comment.
Could you explain the " certain conventions" in details in the comments, and how the users are configured? That will help the users to understand more about the sample authorization filter.
drkafka/src/main/java/com/pinterest/doctorkafka/security/UserPrincipal.java
Outdated
Show resolved
Hide resolved
drkafka/src/main/java/com/pinterest/doctorkafka/security/ExampleAuthorizationFilter.java
Outdated
Show resolved
Hide resolved
privileged operations
|
Thanks for making the change! |
Summary
Dr. Kafka now has some privileged operations exposed via API like broker decomissioning and maintenance mode. These operations should be restricted to admin users only. This PR allows a configurable authorization provider to be added to Dr. Kafka to limit this access.
Description