mageshn
commented
6 years ago @Mogztter there is an ability to add Custom extensions to do things like this.
kafka.rest.resource.extension.class Fully qualified class name of a valid Implementation of the interface RestResourceExtension. This can be used to inject user defined resources like filters. Typically used to add custom capability like logging, security, etc
We really don't want to add all possible API security mechanisms in kafka-rest and would like to leave it to individuals needs.
For security reason, we are using Kafka with SASL_PLAIN and we did configure ACLs on topics to allow users to perform (or not) read/write operations.
Currently our users can publish messages to theirs topics using a Kafka client but we want to give them the ability to publish their messages over HTTPS + Basic Auth.
My idea was to create a "dynamic" pool. We could start with a one to one mapping (ie. HTTP credentials == Kafka client credentials) or we could implement an interface to have a fine grained mapping.
The "dynamic" pool will need to create a new producer/consumer for every credentials.
Let's take an example:
principal: admin, operations: write,read
principal: admin, operations: write,read
admincan publish message on topic_a and topic_b(create a new producer with
admin:passwordcredentials)(reuse the producer with
admin:passwordcredentials)user_bcannot publish message ontopic_a(create a new producer with
user_b:passwordcredentials)user_bcan publish message ontopic_b(reuse the producer with
user_b:passwordcredentials)This feature requires some changes and before working on it, I want to make sure that this is something you will consider :wink:
Let me know what you think!