In general, making authorization decision based on client version might not be 
a good idea. It will just provide a loop hole for someone to downgrade their 
client version to exploit or workaround any restrictions.

> > propose a single broker dynamic configuration: client.min.api.version, to
> On the other hand, most users are not likely to write a custom authorizer to 
> try to take advantage of version information being passed to the authorizer.  
These could be Authorizer implementation detail. If needed, native 
implementation could use this property to make the decision, while the custom 
authorizer can use this property or come up with their own set of properties to 
support or not support certain checks or features. Regardless, it would be good 
to have checks consistent across the version.

> Another thing to consider is that if we add a new broker configuration that 
> lets us set a minimum client version which is allowed, that could be useful 
> to other users as well. 
I am not sure whether the client version is available during authorization API 
call. It might be good if we can send these information in a generic name/value 
list in session context. In that way,  the authorization implementation can use 
it the way the way want to or ignore it.

Bosco


On 2/26/19, 10:04 AM, "Colin McCabe" <cmcc...@apache.org> wrote:

    Hi Harsha,
    
    I think Ismael and Gwen here bring up a good point.  The version of the 
request is a technical detail that isn't really related to authorization.  
There are a lot of other technical details like this like the size of the 
request, the protocol it came in on, etc.  None of them are passed to the 
authorizer-- they all have configuration knobs to control how we handle them.  
If we add this technical detail, logically we'll have to start adding all the 
others, and the authorizer API will get really bloated.  It's better to keep it 
focused on authorization, I think.
    
    Another thing to consider is that if we add a new broker configuration that 
lets us set a minimum client version which is allowed, that could be useful to 
other users as well.  On the other hand, most users are not likely to write a 
custom authorizer to try to take advantage of version information being passed 
to the authorizer.  So, I think  using a configuration is clearly the better 
way to go here.  Perhaps it can be a KIP-226 dynamic configuration to make this 
easier to deploy?
    
    cheers,
    Colin
    
    
    On Mon, Feb 25, 2019, at 15:43, Harsha wrote:
    > Hi Ying,
    >         I think the question is can we add a module in the core which 
    > can take up the dynamic config and does a block certain APIs.  This 
    > module will be called in each of the APIs like the authorizer does 
    > today to check if the API is supported for the client. 
    > Instead of throwing AuthorizationException like the authorizer does 
    > today it can throw UnsupportedException.
    > Benefits are,  we are keeping the authorizer interface as is and adding 
    > the flexibility based on dynamic configs without the need for 
    > categorizing broker APIs and it will be easy to extend to do additional 
    > options,  like turning off certain features which might be in interest 
    > to the service providers.
    > One drawback,  It will introduce another call to check instead of 
    > centralizing everything around Authorizer.
    > 
    > Thanks,
    > Harsha
    > 
    > On Mon, Feb 25, 2019, at 2:43 PM, Ying Zheng wrote:
    > > If you guys don't like the extension of authorizer interface, I will 
just
    > > propose a single broker dynamic configuration: client.min.api.version, 
to
    > > keep things simple.
    > > 
    > > What do you think?
    > > 
    > > On Mon, Feb 25, 2019 at 2:23 PM Ying Zheng <yi...@uber.com> wrote:
    > > 
    > > > @Viktor Somogyi-Vass, @Harsha, It seems the biggest concern is the
    > > > backward-compatibility to the existing authorizers. We can put the new
    > > > method into a new trait / interface:
    > > > trait AuthorizerEx extends Authorizer {
    > > >    def authorize(session: Session, operation: Operation, resource: 
Resource,
    > > > apiVersion: Short): Boolean
    > > > }
    > > >
    > > > When loading an authorizer class, broker will check if the class
    > > > implemented AuthorizerEx interface. If not, broker will wrapper the
    > > > Authorizer object with an Adapter class, in which authorizer(...
    > > > apiVersion) call is translated to the old authorizer() call. So that, 
both
    > > > old and new Authorizer is supported and can be treated as 
AuthorizerEx in
    > > > the new broker code.
    > > >
    > > > As for the broker dynamic configuration approach, I'm not sure how to
    > > > correctly categorize the 40+ broker APIs into a few categories.
    > > > For example, describe is used by producer, consumer, and admin. 
Should it
    > > > be controlled by producer.min.api.version or consumer.min.api.version?
    > > > Should producer.min.api.version apply to transaction operations?
    > > >
    > > >
    > > > On Mon, Feb 25, 2019 at 10:33 AM Harsha <ka...@harsha.io> wrote:
    > > >
    > > >> I think the motivation of the KIP is to configure which API we want 
to
    > > >> allow for a broker.
    > > >> This is challenging for a hosted service where you have customers 
with
    > > >> different versions of clients.
    > > >> It's not just about down conversion but for example transactions, 
there
    > > >> is a case where we do not want to allow users to start using 
transactions
    > > >> and there is no way to disable to this right now and as specified in 
the
    > > >> KIP, having a lock on which client versions we support.
    > > >> Authorizer's original purpose is to allow policies to be enforced for
    > > >> each of the Kafka APIs, specifically in the context of security.
    > > >> Extending this to a general purpose gatekeeper might not be suitable 
and
    > > >> as mentioned in the thread every implementation of authorizer needs 
to
    > > >> re-implement to provide the same set of functionality.
    > > >> I think it's better to add an implementation which will use a 
broker's
    > > >> dynamic config as mentioned in approach 1.
    > > >>
    > > >> Thanks,
    > > >> Harsha
    > > >>
    > > >> On Sat, Feb 23, 2019, at 6:21 AM, Ismael Juma wrote:
    > > >> > Thanks for the KIP. Have we considered the existing topic config 
that
    > > >> makes
    > > >> > it possible to disallow down conversions? That's the biggest 
downside in
    > > >> > allowing older clients.
    > > >> >
    > > >> > Ismael
    > > >> >
    > > >> > On Fri, Feb 22, 2019, 2:11 PM Ying Zheng <yi...@uber.com.invalid>
    > > >> wrote:
    > > >> >
    > > >> > >
    > > >> > >
    > > >> >
    > > >>
    > > >
    > >
    >
    


Reply via email to