[GitHub] [kafka] pprovenzano commented on a diff in pull request #13114: KAFKA-14084: SCRAM support in KRaft.

Wed, 15 Feb 2023 06:25:10 -0800 


pprovenzano commented on code in PR #13114:
URL: https://github.com/apache/kafka/pull/13114#discussion_r1107193412


##########
metadata/src/main/java/org/apache/kafka/image/ScramImage.java:
##########
@@ -50,6 +58,63 @@ public void write(ImageWriter writer, ImageWriterOptions 
options) {
         }
     }
 
+    public DescribeUserScramCredentialsResponseData 
describe(DescribeUserScramCredentialsRequestData request) {
+
+        List<UserName> users = request.users();
+        Map<String, Boolean> uniqueUsers = new HashMap<String, Boolean>();
+
+        if ((users == null) || (users.size() == 0)) {
+            System.out.println("Describe : get all the users");
+            // If there are no users listed then get all the users
+            for (Map<String, ScramCredentialData> scramCredentialDataSet : 
mechanisms.values()) {
+                for (String user : scramCredentialDataSet.keySet()) {
+                    uniqueUsers.put(user, false);
+                }
+            }
+        } else {
+            // Filter out duplicates
+            for (UserName user : users) {
+                if (uniqueUsers.containsKey(user.name())) {
+                    uniqueUsers.put(user.name(), true);
+                } else {
+                    uniqueUsers.put(user.name(), false);
+                }
+            }
+        }
+
+        DescribeUserScramCredentialsResponseData retval = new 
DescribeUserScramCredentialsResponseData();
+
+        for (Map.Entry<String, Boolean> user : uniqueUsers.entrySet()) {
+            DescribeUserScramCredentialsResult result = 
+              new DescribeUserScramCredentialsResult().setUser(user.getKey());
+
+            if (user.getValue() == false) {
+                List<CredentialInfo> credentialInfos = new 
ArrayList<CredentialInfo>();
+
+                boolean datafound = false;
+                for (Map.Entry<ScramMechanism, Map<String, 
ScramCredentialData>> mechanismsEntry : mechanisms.entrySet()) {
+                    Map<String, ScramCredentialData> credentialDataSet = 
mechanismsEntry.getValue();
+                    if (credentialDataSet.containsKey(user.getKey())) {
+                        credentialInfos.add(new 
CredentialInfo().setMechanism(mechanismsEntry.getKey().type())
+                                                                
.setIterations(credentialDataSet.get(user.getKey()).iterations()));
+                        datafound = true;
+                    }
+                }
+                if (datafound) {
+                    result.setCredentialInfos(credentialInfos);
+                } else {
+                    result.setErrorCode(Errors.RESOURCE_NOT_FOUND.code())

Review Comment:
   The request contains a list of users. If the list is empty then the request 
is to describe all the users. I personally think this is a security issue but 
I'm just implementing what was there for Zk. 
   
   If there are no users with SCRAM credentials and the request is to describe 
all the users, then an empty response is returned. It is not an error. This is 
tested in the unit test.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to