[jira] [Comment Edited] (KAFKA-18440) Admin does not convert the AuthorizationException to fatal error in using bootstrap controllers

[Divij Vaidya (Jira)]

    [ 
https://issues.apache.org/jira/browse/KAFKA-18440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17912843#comment-17912843
 ] 

Divij Vaidya edited comment on KAFKA-18440 at 1/14/25 11:45 AM:
----------------------------------------------------------------

I was weighing the decision of backporting this to 3.9/3.8.

On one hand, this will change the user facing exception and hence, potentially 
break existing exception handling login in user's code . On the other hand, it 
does fix a genuine bug and throws the right exception.

We usually side with caution when we release patches and tend to only fix 
regressions (and security/durability problems). I am leaning towards *not* 
including this in 3.8/3.9. Without this fix, the user will still get the 
failure (after timeout has elapsed), it's just that they will not fail fast.

[~chia7712] [~dajac] thoughts? 


was (Author: divijvaidya):
I was weighing the decision of backporting this to 3.9/3.8. 

On one hand, this will change the user facing exception and hence, potentially 
break existing exception handling login in user's code . On the other hand, it 
does fix a genuine bug and throws the right exception.

We usually side with caution when we release patches and I am leaning towards 
*not* including this in 3.8/3.9. Without this fix, the user will still get the 
failure (after timeout has elapsed), it's just that they will not fail fast.

[~chia7712] [~dajac] thoughts? 

> Admin does not convert the AuthorizationException to fatal error in using 
> bootstrap controllers
> -----------------------------------------------------------------------------------------------
>
>                 Key: KAFKA-18440
>                 URL: https://issues.apache.org/jira/browse/KAFKA-18440
>             Project: Kafka
>          Issue Type: Bug
>            Reporter: Chia-Ping Tsai
>            Assignee: PoAn Yang
>            Priority: Blocker
>             Fix For: 4.1.0, 3.9.1, 3.8.2
>
>
> Admin use DescribeClusterRequest to build metadata when using bootstrap 
> controllers, and controller APIs may return ClusterAuthorizationException 
> when users have no "ALTER" permission (see 
> https://github.com/apache/kafka/pull/14306#discussion_r1312367762). 
> However, admin does not convert the authorized exception to fatal exception 
> (https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/clients/admin/internals/AdminMetadataManager.java#L276),
>  so it keeps sending the request to controller until timeout.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)