Cloudera Docs

Authorization in Cloudera Surveyor for Apache Kafka

Cloudera Surveyor ensures secure access and permission management through Kafka Access Control Lists (ACLs). Cloudera Surveyor does not implement its own authorization model, and fully relies on the Kafka ACLs. Additionally, Cloudera Surveyor supports a two-level principal mapper model. This means you can configure a centralized and a per-cluster principal mapping rule.

Requirements

  • The Kafka cluster’s authorizer implementation must support the DESCRIBE_ACLS Kafka API.

How authorization works

When authorization is enabled for a Kafka cluster in Cloudera Surveyor configuration, Cloudera Surveyor periodically fetches ACLs from Kafka, and enforces them on all endpoints. This means that all information shown by Cloudera Surveyor follows the same authorization rules as in Kafka.

For example, querying the min.isr property of a Kafka topic requires a TOPIC DESCRIBE_CONFIGS permission, which means that Cloudera Surveyor will only provide the min.isr if the authenticated user has the exact permission as described by the Kafka ACLs.

The only deviation from the Kafka ACL model in Cloudera Surveyor is how clusters are shown to users on the Cloudera Surveyor API. A user needs the CLUSTER DESCRIBE permission to access a cluster registered in Cloudera Surveyor.

Principal mapping rules

It is possible that authentication configured in Cloudera Surveyor produces different principal names than the ones configured in the integrated Kafka clusters.

To match the users logged into Cloudera Surveyor with the principals configured in Kafka, you can use the following two principal mapping rules:

  • A global mapping rule – configured with surveyorConfig.surveyor.authentication.principalMappingRule

  • A per-cluster mapping rule – configured with clusterConfigs.clusters[*].authorization.principalMappingRule

Both of these default to the identity mapping (DEFAULT). When the global mapping rule is configured, it applies to all principals in all clusters. When the per-cluster mapping rule is configured, it only applies to the specific cluster, and it is applied after the global mapping rule. The mapping rules follow the same pattern as used by the Kafka ssl.principal.mapping.rules property.
Table 1. Principal mapping rule example
Authenticated user Global mapping Per-cluster mapping Mapped principal
user_john_smith DEFAULT DEFAULT user_john_smith
user_john_smith RULE:^user\_(.*)$/u\_$1/ DEFAULT u_john_smith
user_john_smith DEFAULT RULE:^(.*)_(.*)_(.*)$/\$1_\$2/ user_john
user_john_smith RULE:^user\_(.*)$/u\_$1/ RULE:^(.*)_(.*)_(.*)$/\$1_\$2/ u_john