Skip to content

Commit 88d776a

Browse files
cdangercdanger
authored
Clarified diff authzforce restful pdp vs server
1 parent 4513d9d commit 88d776a

File tree

1 file changed

+2
-1
lines changed

1 file changed

+2
-1
lines changed

README.md

+2-1
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,10 @@
33
## Terms
44
* **[XACML](http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.html)**: eXtensisble Access Control Markup Language for access policies and access requests/responses, standardized by OASIS.
55
* **PDP**: Policy Decision Point, as defined in XACML standard.
6+
* **PAP**: Policy Administration Point, as defined in XACML standard.
67

78
## Project description
8-
This project provides an [Authorizer](https://kafka.apache.org/documentation/#security_authz) implementation for Apache Kafka that extends the Kafa's default authorizer (`kafka.security.auth.SimpleAclAuthorizer`) to enable getting XACML authorization decisions from a XACML-enabled PDP's REST API as well, according to the [REST Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html). [AuthzForce Server](https://github.com/authzforce/server) and [AuthzForce RESTful PDP](https://github.com/authzforce/restful-pdp) both provide such REST API.
9+
This project provides an [Authorizer](https://kafka.apache.org/documentation/#security_authz) implementation for Apache Kafka that extends the Kafa's default authorizer (`kafka.security.auth.SimpleAclAuthorizer`) to enable getting XACML authorization decisions from a XACML-enabled PDP's REST API as well, according to the [REST Profile of XACML 3.0](http://docs.oasis-open.org/xacml/xacml-rest/v1.0/xacml-rest-v1.0.html). [AuthzForce Server](https://github.com/authzforce/server) and [AuthzForce RESTful PDP](https://github.com/authzforce/restful-pdp) both provide such REST API. Usually, the latter is enough for simple use cases, unless you need a PAP API, multi-tenancy, etc. in which case AuthzForce Server is a better fit (see the [documentation for the full list of features](http://authzforce-ce-fiware.readthedocs.io/en/latest/Features.html))
910

1011
In other terms, you can still use [Kafka ACLs](http://kafka.apache.org/documentation.html#security_authz) with this same authorizer as you would with the default one. XACML evaluation must be enabled explicitly by setting specific properties as described later below. *XACML evaluation* here stands for the extra process of getting a XACML authorization decision from a remote PDP according to the REST Profile of XACML 3.0.
1112

0 commit comments

Comments
 (0)