rondagostino commented on code in PR #14083:
URL: https://github.com/apache/kafka/pull/14083#discussion_r1297350659
##########
core/src/main/scala/kafka/server/KafkaApis.scala:
##########
@@ -215,9 +215,9 @@ class KafkaApis(val requestChannel: RequestChannel,
case ApiKeys.DESCRIBE_LOG_DIRS => handleDescribeLogDirsRequest(request)
case ApiKeys.SASL_AUTHENTICATE =>
handleSaslAuthenticateRequest(request)
case ApiKeys.CREATE_PARTITIONS => maybeForwardToController(request,
handleCreatePartitionsRequest)
- case ApiKeys.CREATE_DELEGATION_TOKEN =>
maybeForwardToController(request, handleCreateTokenRequest)
- case ApiKeys.RENEW_DELEGATION_TOKEN =>
maybeForwardToController(request, handleRenewTokenRequest)
- case ApiKeys.EXPIRE_DELEGATION_TOKEN =>
maybeForwardToController(request, handleExpireTokenRequest)
+ case ApiKeys.CREATE_DELEGATION_TOKEN =>
handleCreateTokenRequest(request)
+ case ApiKeys.RENEW_DELEGATION_TOKEN => handleRenewTokenRequest(request)
+ case ApiKeys.EXPIRE_DELEGATION_TOKEN =>
handleExpireTokenRequest(request)
Review Comment:
Needs a comment about why we can't forward here
##########
core/src/main/scala/kafka/server/KafkaApis.scala:
##########
@@ -2999,7 +2999,38 @@ class KafkaApis(val requestChannel: RequestChannel,
}
def handleCreateTokenRequest(request: RequestChannel.Request): Unit = {
+ val createTokenRequest = request.body[CreateDelegationTokenRequest]
+
+ val requester = request.context.principal
+ val ownerPrincipalName = createTokenRequest.data.ownerPrincipalName
+ val owner = if (ownerPrincipalName == null || ownerPrincipalName.isEmpty) {
+ request.context.principal
+ } else {
+ new KafkaPrincipal(createTokenRequest.data.ownerPrincipalType,
ownerPrincipalName)
+ }
+ val renewerList =
createTokenRequest.data.renewers.asScala.toList.map(entry =>
+ new KafkaPrincipal(entry.principalType, entry.principalName))
+
+ if (!allowTokenRequests(request)) {
+ requestHelper.sendResponseMaybeThrottle(request, requestThrottleMs =>
+
CreateDelegationTokenResponse.prepareResponse(request.context.requestVersion,
requestThrottleMs,
+ Errors.DELEGATION_TOKEN_REQUEST_NOT_ALLOWED, owner, requester))
+ } else if (!owner.equals(requester) &&
!authHelper.authorize(request.context, CREATE_TOKENS, USER, owner.toString)) {
+ requestHelper.sendResponseMaybeThrottle(request, requestThrottleMs =>
+
CreateDelegationTokenResponse.prepareResponse(request.context.requestVersion,
requestThrottleMs,
+ Errors.DELEGATION_TOKEN_AUTHORIZATION_FAILED, owner, requester))
+ } else if (renewerList.exists(principal => principal.getPrincipalType !=
KafkaPrincipal.USER_TYPE)) {
+ requestHelper.sendResponseMaybeThrottle(request, requestThrottleMs =>
+
CreateDelegationTokenResponse.prepareResponse(request.context.requestVersion,
requestThrottleMs,
+ Errors.INVALID_PRINCIPAL_TYPE, owner, requester))
+ } else {
+ maybeForwardToController(request, handleCreateTokenRequestZk)
+ }
+ }
+
+ def handleCreateTokenRequestZk(request: RequestChannel.Request): Unit = {
Review Comment:
Need to check that we are the active controller (and in the other
renew/expire methods as well)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
