v1.5.1

• Move construction of request builder to AllowCallable call method to avoid it being shared between threads #47 (@xhl1988)

v1.5.0

• Add configuration properties (opa.authorizer.truststore.*) for truststore for HTTPS connections to OPA (@iamatwork)

v1.4.0

• Collect and expose JMX metrics from OPA authorizer (@quangminhtran94)

v1.3.0

• Fix issue where unimplemented acls method of authorizer would be called under certain conditions (@iamatwork)
• Change package group from com.bisnode.kafka.authorization to org.openpolicyagent.kafka

v1.2.0

Changes

• Compatibility with Apache Kafka 3.0.0

v1.1.0

Changes

• Update to Kafka library 2.8.0
  • Tested on Kafka 2.7.0 & 2.8.0

v1.0.0

Changes

Breaking changes:

• Update to use Scala 2.13
  • Requires a Kafka cluster running 2.13
• Update to Kafka library 2.7.0
  • Requires Kafka 2.7.X
• New input structure to OPA
  • You will need to adjust policies to work with the new input structure. See an example of the new structure down below. We suggest to update your policies before upgrading, to work with both the old and the new structure. Then upgrade the plugin and then remove the old policies.

New input structure:

{
    "action": {
        "logIfAllowed": true,
        "logIfDenied": true,
        "operation": "DESCRIBE",
        "resourcePattern": {
            "name": "alice-topic",
            "patternType": "LITERAL",
            "resourceType": "TOPIC",
            "unknown": false
        },
        "resourceReferenceCount": 1
    },
    "requestContext": {
        "clientAddress": "192.168.64.1",
        "clientInformation": {
            "softwareName": "unknown",
            "softwareVersion": "unknown"
        },
        "connectionId": "192.168.64.4:9092-192.168.64.1:58864-0",
        "header": {
            "data": {
                "clientId": "rdkafka",
                "correlationId": 5,
                "requestApiKey": 3,
                "requestApiVersion": 2
            },
            "headerVersion": 1
        },
        "listenerName": "SASL_PLAINTEXT",
        "principal": {
            "name": "alice-consumer",
            "principalType": "User"
        },
        "securityProtocol": "SASL_PLAINTEXT"
    }
}

Other changes

• Include guava and paranamer in the shadowJar since it's been excluded from the Kafka installation
• Update to use the new Kafka libraries to use the new API
• Update OPA policy and tests to work with the new input structure
• Update version on various dependencies
• Add Maven information to README
• Update changelog

v.0.4.2

• Fix CVE-2018-10237 vulnerability

v0.4.0

• Allow super.users to bypass OPA authorizer checks - @scholzj
• Fix wrong unit provided in docs on cache expiry - @kelvk

0.3.0

• Update default cache settings.
• Don't cache a negative decision when plugin fails to connect to OPA.