[
https://issues.apache.org/jira/browse/KAFKA-7185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16551172#comment-16551172
]
ASF GitHub Bot commented on KAFKA-7185:
---------------------------------------
rajinisivaram closed pull request #5400: KAFKA-7185: Allow empty resource name
when matching ACLs
URL: https://github.com/apache/kafka/pull/5400
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
index 55352584c26..e77656d748c 100644
--- a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
+++ b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
@@ -238,7 +238,7 @@ class SimpleAclAuthorizer extends Authorizer with Logging {
val prefixed = aclCache.range(
Resource(resourceType, resourceName, PatternType.PREFIXED),
- Resource(resourceType, resourceName.substring(0, 1),
PatternType.PREFIXED)
+ Resource(resourceType, resourceName.take(1), PatternType.PREFIXED)
)
.filterKeys(resource => resourceName.startsWith(resource.name))
.flatMap { case (resource, versionedAcls) => versionedAcls.acls }
diff --git
a/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
b/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
index 5b65a7f2586..5461413871b 100644
--- a/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
+++ b/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
@@ -92,6 +92,19 @@ class SimpleAclAuthorizerTest extends ZooKeeperTestHarness {
simpleAclAuthorizer.authorize(session, Read, Resource(Topic, "something",
PREFIXED))
}
+ @Test
+ def testAuthorizeWithEmptyResourceName(): Unit = {
+ assertFalse(simpleAclAuthorizer.authorize(session, Read, Resource(Group,
"", LITERAL)))
+ simpleAclAuthorizer.addAcls(Set[Acl](allowReadAcl), Resource(Group,
WildCardResource, LITERAL))
+ assertTrue(simpleAclAuthorizer.authorize(session, Read, Resource(Group,
"", LITERAL)))
+ }
+
+ // Authorizing the empty resource is not supported because we create a znode
with the resource name.
+ @Test(expected = classOf[IllegalArgumentException])
+ def testEmptyAclThrowsException(): Unit = {
+ simpleAclAuthorizer.addAcls(Set[Acl](allowReadAcl), Resource(Group, "",
LITERAL))
+ }
+
@Test
def testTopicAcl() {
val user1 = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, username)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> getMatchingAcls throws StringIndexOutOfBoundsException for empty resource name
> ------------------------------------------------------------------------------
>
> Key: KAFKA-7185
> URL: https://issues.apache.org/jira/browse/KAFKA-7185
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.0.0
> Reporter: Dhruvil Shah
> Assignee: Dhruvil Shah
> Priority: Blocker
>
> KIP-290 introduced a way to match ACLs based on prefix. Certain resource
> names like that for group id can be empty strings. When an empty string is
> passed into `getMatchingAcls`, it would throw a
> `StringIndexOutOfBoundsException` because of the following logic:
> {noformat}
> val prefixed = aclCache.range(
> Resource(resourceType, resourceName, PatternType.PREFIXED),
> Resource(resourceType, resourceName.substring(0, Math.min(1,
> resourceName.length)), PatternType.PREFIXED)
> )
> .filterKeys(resource => resourceName.startsWith(resource.name))
> .flatMap { case (resource, versionedAcls) => versionedAcls.acls }
> .toSet{noformat}
> This is a regression introduced in 2.0.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
