Kafka Connect authorization model

Learn about the authorization model shipped with Kafka Connect.

Kafka Connect comes with an authorization model. Implementations are pluggable and it is up to the implementation how the capabilities of the model are utilized. The authorization model is implemented by default in Ranger. As a result, Cloudera recommends that you use Ranger.

Resource types

Cluster
Cluster is a singleton resource representing the cluster. This resource has the following operations:
  • View: view connector plugins and the root path (basic cluster information).
  • Validate: validate connector plugin configuration.
  • Manage: manage cluster level resources such as loggers.
Connector
Connector is the resource representing a connector and its tasks. This resource has the following operations:
  • View: view connector and task configuration as well as status.
  • Manage: pause, resume, and restart connectors.
  • Create: create connectors.
  • Edit: edit connector configuration.
  • Delete: delete connectors.

Error codes

When enabled, the Kafka Connect authentication and authorization framework can return the following HTTP errors in case of an authentication or authorization failure:

401 Unauthorized
The user attempts to connect the Kafka Connect REST server without authentication.
403 Forbidden
The user attempts an operation on a resource that is not permitted but the user is entitled to view the resource. For example, the user tries to restart a connector that they only have view access to.
404 Not Found
The user attempts an operation on a resource that is not permitted and the resource is not visible by the user.

API endpoint to report user rights on a connector

The Kafka Connect version shipped with Cloudera Runtime includes the /connector-permissions endpoint. This endpoint is unique to Kafka Connect in Cloudera Runtime. It returns all connectors the user has permission to view along with access rights for each connector. The purpose of the endpoint is to allow the Streams Messaging Manager (SMM) UI to enable and disable UI controls based on what the user can do with each connector. This endpoint is not meant to check access rights in the client, these are always checked on the backend. The endpoint responds in the following format:

{"createAllowed":true,
  "permissions": {
      "connectorName-1":{"editable":true, "deletable":true, "manageable":true},
      "connectorName-2":{"editable":true, "deletable":true, "manageable":true}
  }
}

Semantics for listing type endpoints

Listing endpoints (/connectors and /connector-permissions) only return the connectors that the user is permitted to view. In case the authenticated user has no rights to view any connectors it returns an empty list. Similarly to other endpoints, it responds with 401 Unauthorized if there is no authenticated user.