[ https://issues.apache.org/jira/browse/KAFKA-7185?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16551172#comment-16551172 ]
ASF GitHub Bot commented on KAFKA-7185: --------------------------------------- rajinisivaram closed pull request #5400: KAFKA-7185: Allow empty resource name when matching ACLs URL: https://github.com/apache/kafka/pull/5400 This is a PR merged from a forked repository. As GitHub hides the original diff on merge, it is displayed below for the sake of provenance: As this is a foreign pull request (from a fork), the diff is supplied below (as it won't show otherwise due to GitHub magic): diff --git a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala index 55352584c26..e77656d748c 100644 --- a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala +++ b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala @@ -238,7 +238,7 @@ class SimpleAclAuthorizer extends Authorizer with Logging { val prefixed = aclCache.range( Resource(resourceType, resourceName, PatternType.PREFIXED), - Resource(resourceType, resourceName.substring(0, 1), PatternType.PREFIXED) + Resource(resourceType, resourceName.take(1), PatternType.PREFIXED) ) .filterKeys(resource => resourceName.startsWith(resource.name)) .flatMap { case (resource, versionedAcls) => versionedAcls.acls } diff --git a/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala b/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala index 5b65a7f2586..5461413871b 100644 --- a/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala +++ b/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala @@ -92,6 +92,19 @@ class SimpleAclAuthorizerTest extends ZooKeeperTestHarness { simpleAclAuthorizer.authorize(session, Read, Resource(Topic, "something", PREFIXED)) } + @Test + def testAuthorizeWithEmptyResourceName(): Unit = { + assertFalse(simpleAclAuthorizer.authorize(session, Read, Resource(Group, "", LITERAL))) + simpleAclAuthorizer.addAcls(Set[Acl](allowReadAcl), Resource(Group, WildCardResource, LITERAL)) + assertTrue(simpleAclAuthorizer.authorize(session, Read, Resource(Group, "", LITERAL))) + } + + // Authorizing the empty resource is not supported because we create a znode with the resource name. + @Test(expected = classOf[IllegalArgumentException]) + def testEmptyAclThrowsException(): Unit = { + simpleAclAuthorizer.addAcls(Set[Acl](allowReadAcl), Resource(Group, "", LITERAL)) + } + @Test def testTopicAcl() { val user1 = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, username) ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org > getMatchingAcls throws StringIndexOutOfBoundsException for empty resource name > ------------------------------------------------------------------------------ > > Key: KAFKA-7185 > URL: https://issues.apache.org/jira/browse/KAFKA-7185 > Project: Kafka > Issue Type: Bug > Affects Versions: 2.0.0 > Reporter: Dhruvil Shah > Assignee: Dhruvil Shah > Priority: Blocker > > KIP-290 introduced a way to match ACLs based on prefix. Certain resource > names like that for group id can be empty strings. When an empty string is > passed into `getMatchingAcls`, it would throw a > `StringIndexOutOfBoundsException` because of the following logic: > {noformat} > val prefixed = aclCache.range( > Resource(resourceType, resourceName, PatternType.PREFIXED), > Resource(resourceType, resourceName.substring(0, Math.min(1, > resourceName.length)), PatternType.PREFIXED) > ) > .filterKeys(resource => resourceName.startsWith(resource.name)) > .flatMap { case (resource, versionedAcls) => versionedAcls.acls } > .toSet{noformat} > This is a regression introduced in 2.0. -- This message was sent by Atlassian JIRA (v7.6.3#76005)