Crate crabka_authz 

Shared Kafka-ACL authorization evaluator (broker + gateway).

Holds the Authorizer trait + ACL evaluator (SimpleAclAuthorizer / AllowAllAuthorizer) plus an AclSource abstraction so one evaluator serves both the broker (a MetadataImage snapshot) and the gateway (an AclCache over a Vec<AclEntry> fetched via DescribeAcls). The decision logic (super-user bypass, deny-wins, operation implication) lives here once so the two callers can never drift.

Authorizing a request

use crabka_authz::{AllowAllAuthorizer, AuthorizationRequest, AuthorizationResult, Authorizer};
use crabka_metadata::{AclOperation, MetadataImage, ResourceType};
use crabka_security::{AuthMethod, Principal};
use std::net::SocketAddr;
use uuid::Uuid;

let image = MetadataImage::new(Uuid::nil());
let principal = Principal {
    name: "alice".into(),
    auth_method: AuthMethod::SaslPlain,
    groups: vec![],
};
let host: SocketAddr = "127.0.0.1:9092".parse().unwrap();
let req = AuthorizationRequest {
    principal: &principal,
    host: &host,
    resource_type: ResourceType::Topic,
    resource_name: "orders",
    operation: AclOperation::Read,
};

assert_eq!(
    AllowAllAuthorizer.authorize(&image, &req),
    AuthorizationResult::Allow,
);

Re-exports

pub use cache::AclCache;

Modules

cache

Gateway-side ACL snapshot: a flat Vec<AclEntry> (from describe_acls) that implements AclSource with EXACTLY the broker’s matching semantics.

Structs

AllowAllAuthorizer

Authorizer that always returns AuthorizationResult::Allow. Default authorizer value; chosen by type = "allow_all" (or omitted entirely) in the broker / gateway config.

AuthorizationRequest

What authorize is being asked: which principal wants to do which operation on which resource, from which host. References are borrowed so handler-side construction is allocation-free.

SimpleAclAuthorizer

Authorizer that consults the cluster’s persisted ACLs (the AclSource is supplied per call — a MetadataImage for the broker, an AclCache for the gateway). Holds the configured super-user set; principals in this set bypass ACL evaluation and always get Allow.

Enums

AuthorizationResult

Binary outcome — Kafka’s ACL surface is allow/deny; intermediate states (e.g. “not yet decided”) aren’t exposed at the trait boundary.

Traits

AclSource

A source of ACL entries the authorizer can match against. matching_acls MUST return every entry whose resource pattern matches (rt, name): LITERAL entries equal to name, LITERAL * (wildcard), and PREFIXED entries where name.starts_with(entry.resource_name). (Mirror crabka_metadata::MetadataImage::matching_acls — crates/metadata/src/image.rs.)

Authorizer

Pluggable per-broker / per-gateway authorization decision point. Implementations own whatever state they need to render a decision (super-user set, HTTP client, decision cache) and the caller holds a single Arc<dyn Authorizer>.

Functions

authorize_topics

Batch-authorize a set of topic names against the same principal / host / operation. Used by Produce, Fetch, and Metadata per-topic enforcement. The returned map’s keys are borrowed from the input iterator so callers can avoid copying topic strings.