Is a list of superusers set when it comes to KafkaAuthenticationCustom?

[21lva]

Hello?
I am a software en
I have been using strimzi and I decided to make a custom authorizer.
I used like below

    authorization:
      type: custom
      authorizerClass: mypackage.MyCustomAuthorizer 
      superUsers:
      - admin

And I found that brokers couldn't fetch because of their authorization.
So, I looked this code up and down, and I have been wondering the code is as same as I think.

# First, this is called.
    public KafkaBrokerConfigurationBuilder withAuthorization(String clusterName, KafkaAuthorization authorization)  {
        if (authorization != null) {
            List<String> superUsers = new ArrayList<>();

            // Broker superusers
            superUsers.add(String.format("User:CN=%s,O=io.strimzi", KafkaResources.kafkaComponentName(clusterName)));
            superUsers.add(String.format("User:CN=%s-%s,O=io.strimzi", clusterName, "entity-topic-operator"));
            superUsers.add(String.format("User:CN=%s-%s,O=io.strimzi", clusterName, "entity-user-operator"));
            superUsers.add(String.format("User:CN=%s-%s,O=io.strimzi", clusterName, "kafka-exporter"));
            superUsers.add(String.format("User:CN=%s-%s,O=io.strimzi", clusterName, "cruise-control"));

            superUsers.add(String.format("User:CN=%s,O=io.strimzi", "cluster-operator"));

            printSectionHeader("Authorization");
            configureAuthorization(clusterName, superUsers, authorization);
            writer.println("super.users=" + String.join(";", superUsers));
            writer.println();
        }

        return this;
    }

# This is called secondly
    private void configureAuthorization(String clusterName, List<String> superUsers, KafkaAuthorization authorization) {
        if (authorization instanceof KafkaAuthorizationSimple simpleAuthz) {
            configureSimpleAuthorization(simpleAuthz, superUsers);
        } else if (authorization instanceof KafkaAuthorizationOpa opaAuthz) {
            configureOpaAuthorization(opaAuthz, superUsers);
        } else if (authorization instanceof KafkaAuthorizationKeycloak keycloakAuthz) {
            configureKeycloakAuthorization(clusterName, keycloakAuthz, superUsers);
        } else if (authorization instanceof KafkaAuthorizationCustom customAuthz) {
            configureCustomAuthorization(customAuthz, superUsers);
        }
    }

# Lastly, this is called.
    private void configureCustomAuthorization(KafkaAuthorizationCustom authorization, List<String> superUsers) {
        writer.println("authorizer.class.name=" + authorization.getAuthorizerClass());

        // User configured super-users
        if (authorization.getSuperUsers() != null && !authorization.getSuperUsers().isEmpty()) {
            superUsers.addAll(authorization.getSuperUsers().stream().map(e -> String.format("User:%s", e)).toList());
        }
    }

In my opinion, the features of these three functions are just add super users of Authorization to a list which would be deleted in some point after these functions has been called. i.e. The super users that should be added, like "User:CN=clusters,O=io.strimzi", is not added.

If I am right, should I append the addition of first function manually in my custom authorizer??

[scholzj]

The super users are added top the list and that list is printed into the configuration file. You can see it on this line:

writer.println("super.users=" + String.join(";", superUsers));

So I'm not sure what exactly you mean with the, not being added. You should be also able to see it in the broker logs. If it doesn't work, you should make sure your custom authorizer implements the super users.

[21lva]

Oh I got it. The list are printed to strimzi.properties.
Thanks you for your answer!