[ https://issues.apache.org/jira/browse/KAFKA-7028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16523839#comment-16523839 ]
Stanislav Kozlovski commented on KAFKA-7028: -------------------------------------------- After investigation, me and [~rsivaram] found out that apart from {code} if (superUsers.contains(principal)) { {code} the ACL checking logic {code} (acl.principal == principal || acl.principal == Acl.WildCardPrincipal) && {code} under `SimpleAclAuthorizer#aclMatch` also calls the `equals()` method of the `KafkaPrincipal` class, which always returns `false` when given a subclass of `KafkaPrincipal`, because it checks if the classes are equal. This currently means that no custom principals can authorize at all. Changing the `equals()` method on the base `KafkaPrincipal` to check for subclasses would not work, as `subClass.equals(baseClass)` would return true but `baseClass.equals(subClass)` would return false. An alternative that could work but does not sound good to me is checking strings. Either way, I assume a fix would require a breaking change and therefore a KIP. [~ijuma], what do you think? > super.users doesn't work with custom principals > ----------------------------------------------- > > Key: KAFKA-7028 > URL: https://issues.apache.org/jira/browse/KAFKA-7028 > Project: Kafka > Issue Type: Bug > Reporter: Ismael Juma > Assignee: Stanislav Kozlovski > Priority: Major > Fix For: 2.1.0 > > > SimpleAclAuthorizer creates a KafkaPrincipal for the users defined in the > super.users broker config. However, it should use the configured > KafkaPrincipalBuilder so that it works with a custom defined one. -- This message was sent by Atlassian JIRA (v7.6.3#76005)