[
https://issues.apache.org/jira/browse/KAFKA-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523839#comment-16523839
]
Stanislav Kozlovski commented on KAFKA-7028:
--------------------------------------------
After investigation, me and [~rsivaram] found out that apart from
{code}
if (superUsers.contains(principal)) {
{code}
the ACL checking logic
{code}
(acl.principal == principal || acl.principal == Acl.WildCardPrincipal) &&
{code}
under `SimpleAclAuthorizer#aclMatch` also calls the `equals()` method of the
`KafkaPrincipal` class, which always returns `false` when given a subclass of
`KafkaPrincipal`, because it checks if the classes are equal.
This currently means that no custom principals can authorize at all.
Changing the `equals()` method on the base `KafkaPrincipal` to check for
subclasses would not work, as `subClass.equals(baseClass)` would return true
but `baseClass.equals(subClass)` would return false.
An alternative that could work but does not sound good to me is checking
strings.
Either way, I assume a fix would require a breaking change and therefore a KIP.
[~ijuma], what do you think?
> super.users doesn't work with custom principals
> -----------------------------------------------
>
> Key: KAFKA-7028
> URL: https://issues.apache.org/jira/browse/KAFKA-7028
> Project: Kafka
> Issue Type: Bug
> Reporter: Ismael Juma
> Assignee: Stanislav Kozlovski
> Priority: Major
> Fix For: 2.1.0
>
>
> SimpleAclAuthorizer creates a KafkaPrincipal for the users defined in the
> super.users broker config. However, it should use the configured
> KafkaPrincipalBuilder so that it works with a custom defined one.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
