[
https://issues.apache.org/jira/browse/SENTRY-2276?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Gergo Wilder updated SENTRY-2276:
---------------------------------
Description:
When sending AlterConfigs or DescribeConfigs requests using Kafka's AdminClient
class to a Sentry-enabled Kafka broker, I noticed that the request would fail
on the broker side with a NullPointerException in
ResourceAuthorizationProvider::buildPermissions, the action being null.
However, other requests, such as DescribeTopics, would work fine. I discovered
that these request type are not covered in Sentry's
[KafkaActionFactory|https://github.com/apache/sentry/blob/branch-2.0/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaActionFactory.java]
which leads to null values being returned as Actions, e.g., from
getActionByName.
Sentry's Kafka binding does not support the following actions that are defined
by Kafka's authorization model:
* AlterConfigs
* DescribeConfigs
* IdempotentWrite
It does not support the TransactionalId authorizable resource either that is
required for using Kafka's transactional capabilities in combination with
Sentry authorizer.
was:
When sending AlterConfigs or DescribeConfigs requests using Kafka's AdminClient
class to a Sentry-enabled Kafka broker, I noticed that the request would fail
on the broker side with a NullPointerException in
ResourceAuthorizationProvider::buildPermissions, the action being null.
However, other requests, such as DescribeTopics, would work fine. I discovered
that these request type are not covered in Sentry's
[KafkaActionFactory|https://github.com/apache/sentry/blob/branch-2.0/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaActionFactory.java]
which leads to null values being returned as Actions, e.g., from
getActionByName.
Compare with Kafka's list of authenticable operations in
[Operation.scala|https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/security/auth/Operation.scala]
.
Though I don't know any details about it, the command "IdempotentWrite" also
seems unsupported on the Sentry side.
> Sentry-Kafka integration does not support Kafka's Alter/DescribeConfigs and
> IdempotentWrite operations
> ------------------------------------------------------------------------------------------------------
>
> Key: SENTRY-2276
> URL: https://issues.apache.org/jira/browse/SENTRY-2276
> Project: Sentry
> Issue Type: Bug
> Components: kafka-integration
> Environment: Cloudera's Kafka (CDK 3.1.0) and Sentry Distribution, as
> included with CDH 5.13
> Reporter: Julian Eberius
> Assignee: Gergo Wilder
> Priority: Minor
>
> When sending AlterConfigs or DescribeConfigs requests using Kafka's
> AdminClient class to a Sentry-enabled Kafka broker, I noticed that the
> request would fail on the broker side with a NullPointerException in
> ResourceAuthorizationProvider::buildPermissions, the action being null.
> However, other requests, such as DescribeTopics, would work fine. I
> discovered that these request type are not covered in Sentry's
> [KafkaActionFactory|https://github.com/apache/sentry/blob/branch-2.0/sentry-core/sentry-core-model-kafka/src/main/java/org/apache/sentry/core/model/kafka/KafkaActionFactory.java]
> which leads to null values being returned as Actions, e.g., from
> getActionByName.
> Sentry's Kafka binding does not support the following actions that are
> defined by Kafka's authorization model:
> * AlterConfigs
> * DescribeConfigs
> * IdempotentWrite
> It does not support the TransactionalId authorizable resource either that is
> required for using Kafka's transactional capabilities in combination with
> Sentry authorizer.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
