core/src/main/scala/kafka/security/auth/Authorizer.scala - kafka - Git at Google

 /**
  * Licensed to the Apache Software Foundation (ASF) under one or more
  * contributor license agreements.  See the NOTICE file distributed with
  * this work for additional information regarding copyright ownership.
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
  *
  *    http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 package kafka.security.auth

 import kafka.network.RequestChannel.Session
 import org.apache.kafka.common.Configurable
 import org.apache.kafka.common.security.auth.KafkaPrincipal

 /**
  * Top level interface that all plugable authorizer must implement. Kafka server will read "authorizer.class" config
  * value at startup time, create an instance of the specified class and call initialize method.
  * authorizer.class must be a class that implements this interface.
  * If authorizer.class has no value specified no authorization will be performed.
  *
  * From that point onwards, every client request will first be routed to authorize method and the request will only be
  * authorized if the method returns true.
  */
 trait Authorizer extends Configurable {

   /**
    * @param session The session being authenticated.
    * @param operation Type of operation client is trying to perform on resource.
    * @param resource Resource the client is trying to access.
    * @return
    */
   def authorize(session: Session, operation: Operation, resource: Resource): Boolean

   /**
    * add the acls to resource, this is an additive operation so existing acls will not be overwritten, instead these new
    * acls will be added to existing acls.
    * @param acls set of acls to add to existing acls
    * @param resource the resource to which these acls should be attached.
    */
   def addAcls(acls: Set[Acl], resource: Resource): Unit

   /**
    * remove these acls from the resource.
    * @param acls set of acls to be removed.
    * @param resource resource from which the acls should be removed.
    * @return true if some acl got removed, false if no acl was removed.
    */
   def removeAcls(acls: Set[Acl], resource: Resource): Boolean

   /**
    * remove a resource along with all of its acls from acl store.
    * @param resource
    * @return
    */
   def removeAcls(resource: Resource): Boolean

   /**
    * get set of acls for this resource
    * @param resource
    * @return empty set if no acls are found, otherwise the acls for the resource.
    */
   def getAcls(resource: Resource): Set[Acl]

   /**
    * get the acls for this principal.
    * @param principal
    * @return empty Map if no acls exist for this principal, otherwise a map of resource -> acls for the principal.
    */
   def getAcls(principal: KafkaPrincipal): Map[Resource, Set[Acl]]

   /**
    * gets the map of resource to acls for all resources.
    */
   def getAcls(): Map[Resource, Set[Acl]]

   /**
    * Closes this instance.
    */
   def close(): Unit

 }
	/**
	* Licensed to the Apache Software Foundation (ASF) under one or more
	* contributor license agreements. See the NOTICE file distributed with
	* this work for additional information regarding copyright ownership.
	* The ASF licenses this file to You under the Apache License, Version 2.0
	* (the "License"); you may not use this file except in compliance with
	* the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	package kafka.security.auth

	import kafka.network.RequestChannel.Session
	import org.apache.kafka.common.Configurable
	import org.apache.kafka.common.security.auth.KafkaPrincipal

	/**
	* Top level interface that all plugable authorizer must implement. Kafka server will read "authorizer.class" config
	* value at startup time, create an instance of the specified class and call initialize method.
	* authorizer.class must be a class that implements this interface.
	* If authorizer.class has no value specified no authorization will be performed.
	*
	* From that point onwards, every client request will first be routed to authorize method and the request will only be
	* authorized if the method returns true.
	*/
	trait Authorizer extends Configurable {

	/**
	* @param session The session being authenticated.
	* @param operation Type of operation client is trying to perform on resource.
	* @param resource Resource the client is trying to access.
	* @return
	*/
	def authorize(session: Session, operation: Operation, resource: Resource): Boolean

	/**
	* add the acls to resource, this is an additive operation so existing acls will not be overwritten, instead these new
	* acls will be added to existing acls.
	* @param acls set of acls to add to existing acls
	* @param resource the resource to which these acls should be attached.
	*/
	def addAcls(acls: Set[Acl], resource: Resource): Unit

	/**
	* remove these acls from the resource.
	* @param acls set of acls to be removed.
	* @param resource resource from which the acls should be removed.
	* @return true if some acl got removed, false if no acl was removed.
	*/
	def removeAcls(acls: Set[Acl], resource: Resource): Boolean

	/**
	* remove a resource along with all of its acls from acl store.
	* @param resource
	* @return
	*/
	def removeAcls(resource: Resource): Boolean

	/**
	* get set of acls for this resource
	* @param resource
	* @return empty set if no acls are found, otherwise the acls for the resource.
	*/
	def getAcls(resource: Resource): Set[Acl]

	/**
	* get the acls for this principal.
	* @param principal
	* @return empty Map if no acls exist for this principal, otherwise a map of resource -> acls for the principal.
	*/
	def getAcls(principal: KafkaPrincipal): Map[Resource, Set[Acl]]

	/**
	* gets the map of resource to acls for all resources.
	*/
	def getAcls(): Map[Resource, Set[Acl]]

	/**
	* Closes this instance.
	*/
	def close(): Unit

	}