ACL stored

[sookeke]

Hi @keunlee

Thanks for putting this together. Are these ACLs described in Keycloak stored or cached in Kafka?

I notice when I got inside the Kafka cluster and run ./kafka-acls.sh --bootstrap-server XXX --command-config XXXX it returns nothing

[keunlee]

Hi, for this particular demonstration the ACLs are defined in Keycloak (RH SSO) realm configuration files - found in https://github.com/keunlee/amq-streams-broker-authorization-sample/tree/master/ocp/bootstrap/roles/ocp4-install-rh-sso/files.

I haven't tried it yet on this demo, but I think if I did, I would give a shot at looking through some of the examples in the strimzi configuration docs - https://strimzi.io/docs/operators/latest/configuring.html#con-securing-kafka-authorization-str

[sookeke]

@keunlee thanks for the response. Yes, I was thinking of the implementation of the strimzi class io.strimzi.kafka.oauth.server.authorizer.KeycloakRBACAuthorizer which is an extension of the AclAuthorizer class should be:

1. The broker initializes communication to the zookeeper via the Authorizer i.e KeycloakRBACAuthorizer which grabs all the keycloak client-configured authorization
2. The Authorize loads the captured ACLs in the ACL store in Zookeeper
3. Then Populate the ACL cache from the Authorizer back to the broker. Now the broker has the current ACL cache from Zookeeper to validate a request
4. The Authorizer keeps monitoring for changes in the keycloak Authorization client, Once there's any update in the keycloak, the cycle continues from step 1.

[sookeke]

There's some comment in the strimzi document that's kinda confusing to me. It reads

"The authorizer (i.e KeycloakRBACAuthorizer) fetches a list of granted permissions from the authorization server as needed, and enforces authorization locally on the Kafka Broker, making rapid authorization decisions for each client request."

Does that mean this Authorizer does not communicate to the Zookeeper Authorizer store and does not cache ACL in the broker like other Authorizer classes?

How then can we view the ACL in the cluster other than via keycloak. I mean using rest proxy or bridge traditionally we can view acls on the cluster with GET /v3/clusters/{CLUSTER_ID}/acls but with this new authorizer KeycloakRBACAuthorizer it returns NULL

[sookeke]

@keunlee another quote

Keycloak Authorization Services REST endpoints provide a list of granted permissions on resources for authenticated users. The list of grants (permissions) is fetched from the Keycloak server as the first action after an authenticated session is established by the Kafka client. The list is refreshed in the background so that changes to the grants are detected. Grants are cached and enforced locally on the Kafka broker for each user session to provide fast authorization decisions.