AuthzForce CE - Extensions for Apache Kafka

Kafka Authorizer (KIP-11) implementation supporting both Kafka ACL and XACML policy evaluation for Attribute-Based Access Control

License

License

GroupId

GroupId

org.ow2.authzforce
ArtifactId

ArtifactId

authzforce-ce-kafka-extensions
Last Version

Last Version

1.3.0
Release Date

Release Date

Type

Type

jar
Description

Description

AuthzForce CE - Extensions for Apache Kafka
Kafka Authorizer (KIP-11) implementation supporting both Kafka ACL and XACML policy evaluation for Attribute-Based Access Control
Source Code Management

Source Code Management

https://github.com/DRIVER-EU/kafka-combined-acl-xacml-authorizer

Download authzforce-ce-kafka-extensions

How to add to project

<!-- https://jarcasting.com/artifacts/org.ow2.authzforce/authzforce-ce-kafka-extensions/ -->
<dependency>
    <groupId>org.ow2.authzforce</groupId>
    <artifactId>authzforce-ce-kafka-extensions</artifactId>
    <version>1.3.0</version>
</dependency>
// https://jarcasting.com/artifacts/org.ow2.authzforce/authzforce-ce-kafka-extensions/
implementation 'org.ow2.authzforce:authzforce-ce-kafka-extensions:1.3.0'
// https://jarcasting.com/artifacts/org.ow2.authzforce/authzforce-ce-kafka-extensions/
implementation ("org.ow2.authzforce:authzforce-ce-kafka-extensions:1.3.0")
'org.ow2.authzforce:authzforce-ce-kafka-extensions:jar:1.3.0'
<dependency org="org.ow2.authzforce" name="authzforce-ce-kafka-extensions" rev="1.3.0">
  <artifact name="authzforce-ce-kafka-extensions" type="jar" />
</dependency>
@Grapes(
@Grab(group='org.ow2.authzforce', module='authzforce-ce-kafka-extensions', version='1.3.0')
)
libraryDependencies += "org.ow2.authzforce" % "authzforce-ce-kafka-extensions" % "1.3.0"
[org.ow2.authzforce/authzforce-ce-kafka-extensions "1.3.0"]

Dependencies

compile (6)

Group / Artifact Type Version
org.slf4j : jcl-over-slf4j jar 1.7.25
org.freemarker : freemarker jar 2.3.28
org.springframework : spring-context jar 4.3.18.RELEASE
org.apache.cxf : cxf-rt-rs-client jar 3.2.5
org.apache.cxf : cxf-rt-features-logging jar 3.2.5
org.ow2.authzforce : authzforce-ce-jaxrs-utils jar 1.3.0

provided (2)

Group / Artifact Type Version
org.apache.kafka : kafka_2.12 jar 2.0.0
org.slf4j : slf4j-api jar 1.7.25

test (4)

Group / Artifact Type Version
ch.qos.logback : logback-classic jar 1.2.3
org.springframework.boot : spring-boot-starter-test jar 1.5.14.RELEASE
org.apache.curator : curator-test jar 2.12.0
eu.driver » driver-testbed-sec-authz-service jar 2.1.1

Project Modules

There are no modules declared in this project.

XACML-enabled Authorizer for Apache Kafka

Terms

  • XACML: eXtensisble Access Control Markup Language for access policies and access requests/responses, standardized by OASIS.
  • PDP: Policy Decision Point, as defined in XACML standard.
  • PAP: Policy Administration Point, as defined in XACML standard.

Project description

This project provides an Authorizer implementation for Apache Kafka that extends the Kafa's default authorizer (kafka.security.auth.SimpleAclAuthorizer) to enable getting XACML authorization decisions from a XACML-enabled PDP's REST API as well, according to the REST Profile of XACML 3.0. AuthzForce Server and AuthzForce RESTful PDP both provide such REST API. Usually, the latter is enough for simple use cases, unless you need a PAP API, multi-tenancy, etc. in which case AuthzForce Server is a better fit (see the documentation for the full list of features)

In other terms, you can still use Kafka ACLs with this same authorizer as you would with the default one. XACML evaluation must be enabled explicitly by setting specific properties as described later below. XACML evaluation here stands for the extra process of getting a XACML authorization decision from a remote PDP according to the REST Profile of XACML 3.0.

The authorizer combines Kafka ACL evaluation with XACML evaluation as follows:

  • If ACL evaluation returns Permit, return Permit.
  • Else:
    • If XACML evaluation is disabled, return Deny.
    • Else: If and only if the result of XACML evaluation is Permit, return Permit.

Installation

Get the tar.gz distribution from the latest release on the GitHub repository and extract the files to some folder, e.g. /opt/authzforce-ce-kafka-extensions. You should have a lib folder inside.

Configuration

To enable the authorizer on Kafka, set the server's property:

authorizer.class.name=org.ow2.authzforce.kafka.pep.CombinedXacmlAclAuthorizer

To enable XACML evaluation, set the extra following authorizer properties:

  • org.ow2.authzforce.kafka.pep.xacml.pdp.url: XACML PDP resource's URL, as defined by REST Profile of XACML 3.0, §2.2.2, e.g. https://serverhostname/services/pdp for a AuthzForce RESTful PDP instance, or https://serverhostname/authzforce-ce/domains/XXX/pdp for a domain XXX on a AuthzForce Server instance.
  • org.ow2.authzforce.kafka.pep.http.client.cfg.location: location (URL supported by Spring {@link org.springframework.util.ResourceUtils}) of the HTTP client configuration as defined by Apache CXF format, required for SSL settings
  • org.ow2.authzforce.kafka.pep.authz.cache.size.max: maximum number of authorization decisions cached in memory (performance optimization). Cache disabled iff not strictly positive integer. If cache enabled and an access request matches a previous one in cache, the corresponding decision is retrieved from cache directly (no decision evaluation).
  • org.ow2.authzforce.kafka.pep.xacml.req.tmpl.location: location of a file that contains a Freemarker template of XACML Request formatted according to JSON Profile of XACML 3.0, in which you can use Freemarker expressions, enclosed between ${ and }, and have access to the following top-level variables from Kafka's authorization context:
Variable name Variable type Description
clientHost java.net.InetAddress client/user host name or IP address
principal org.apache.kafka.common.security.auth.KafkaPrincipal user principal
operation org.apache.kafka.common.acl.AclOperation operation
resourceType org.apache.kafka.common.resource.ResourceType resource type
resourceName String resource name

For an example of XACML Request template, see the file request.xacml.json.ftl in the source or in the same folder as this README if part of a release package (tar.gz). This example should be sufficient for most cases.

Starting Kafka

Make sure Zookeeper is started first:

~/DRIVER+/kafka_2.11-1.1.0$ bin/zookeeper-server-start.sh config/zookeeper.properties

Add the all JARs in the lib folder extracted earlier (Installation section) to the CLASSPATH environment variable before starting Kafka, for example:

~/DRIVER+/kafka_2.11-1.1.0$ CLASSPATH=/opt/authzforce-ce-kafka-extensions/lib/* bin/kafka-server-start.sh config/server.properties

Known issue

Group-based permission ineffective for topic metadata/offset access control

When calling poll(...) method, Java KafkaConsumers use DESCRIBE operation on topics to fetch topic metadata, before joining their consumer group (READ GROUP X) and reading topic data. Therefore, the Authorizer is unable to know the consumer group ID at this point. So group-based permissions cannot be used for topic metadata access control.

See issue #7.

org.ow2.authzforce

DRIVER+

This project has received funding from the EU FP7 under grant agreement no 607798.

Versions

Version
1.3.0
1.2.0
1.1.0