Kafka Connect authorization model
Learn about the authorization model shipped with Kafka Connect.
Kafka Connect comes with an authorization model. Implementations are pluggable and it is up to the implementation how the capabilities of the model are utilized. The authorization model is implemented by default in Ranger. As a result, Cloudera recommends that you use Ranger.
Resource types
- Cluster
- Cluster is a singleton resource representing the cluster. This resource has the
following operations:
- View: view connector plugins and the root path (basic cluster information).
- Validate: validate connector plugin configuration.
- Manage: manage cluster level resources such as loggers.
- Connector
- Connector is the resource representing a connector and its tasks. This resource has
the following operations:
- View: view connector and task configuration as well as status.
- Manage: pause, resume, and restart connectors.
- Create: create connectors.
- Edit: edit connector configuration.
- Delete: delete connectors.
Error codes
When enabled, the Kafka Connect authentication and authorization framework can return the following HTTP errors in case of an authentication or authorization failure:
- 401 Unauthorized
- The user attempts to connect the Kafka Connect REST server without authentication.
- 403 Forbidden
- The user attempts an operation on a resource that is not permitted, but the user is entitled to view the resource. For example, the user tries to restart a connector that they only have view access to.
- 404 Not Found
- The user attempts an operation on a resource that is not permitted and the resource is not visible by the user.
API endpoint to report user rights on a connector
The Kafka Connect version shipped with Cloudera Runtime includes the
/connector-permissions
endpoint. This endpoint is unique to Kafka Connect
in Cloudera Runtime. It returns all connectors the user has permission to view along with
access rights for each connector. The purpose of the endpoint is to allow the Streams
Messaging Manager (SMM) UI to enable and disable UI controls based on what the user can do
with each connector. This endpoint is not meant to check access rights in the client, these
are always checked on the backend. The endpoint responds in the following format:
{"createAllowed":true,
"permissions": {
"connectorName-1":{"editable":true, "deletable":true, "manageable":true},
"connectorName-2":{"editable":true, "deletable":true, "manageable":true}
}
}
Semantics for listing type endpoints
Listing endpoints (/connectors
and
/connector-permissions
) only return the connectors that the user is
permitted to view. In case the authenticated user has no rights to view any connectors it
returns an empty list. Similarly to other endpoints, it responds with 401
Unauthorized if there is no authenticated user.