d8tltanc commented on a change in pull request #9485: URL: https://github.com/apache/kafka/pull/9485#discussion_r529008307
########## File path: clients/src/main/java/org/apache/kafka/server/authorizer/Authorizer.java ########## @@ -139,4 +150,129 @@ * @return Iterator for ACL bindings, which may be populated lazily. */ Iterable<AclBinding> acls(AclBindingFilter filter); + + /** + * Check if the caller is authorized to perform the given ACL operation on at least one + * resource of the given type. + * + * @param requestContext Request context including request resourceType, security protocol, and listener name + * @param op The ACL operation to check + * @param resourceType The resource type to check + * @return Return {@link AuthorizationResult#ALLOWED} if the caller is authorized to perform the + * given ACL operation on at least one resource of the given type. + * Return {@link AuthorizationResult#DENIED} otherwise. + */ + default AuthorizationResult authorizeByResourceType(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) { + if (resourceType == ResourceType.ANY) { + throw new IllegalArgumentException( + "Must specify a non-filter resource type for authorizeByResourceType"); + } + + if (resourceType == ResourceType.UNKNOWN) { + throw new IllegalArgumentException( + "Unknown resource type"); + } + + if (op == AclOperation.ANY) { + throw new IllegalArgumentException( + "Must specify a non-filter operation type for authorizeByResourceType"); + } + + if (op == AclOperation.UNKNOWN) { + throw new IllegalArgumentException( + "Unknown operation type"); + } + + ResourcePatternFilter resourceTypeFilter = new ResourcePatternFilter( + resourceType, null, PatternType.ANY); + AclBindingFilter aclFilter = new AclBindingFilter( + resourceTypeFilter, AccessControlEntryFilter.ANY); + + Set<String> denyLiterals = new HashSet<>(); + Set<String> denyPrefixes = new HashSet<>(); + Set<String> allowLiterals = new HashSet<>(); + Set<String> allowPrefixes = new HashSet<>(); + boolean hasWildCardAllow = false; + + for (AclBinding binding : acls(aclFilter)) { + if (!binding.entry().host().equals(requestContext.clientAddress().getHostAddress()) + && !binding.entry().host().equals("*")) + continue; + + if (!binding.entry().principal().equals(requestContext.principal().toString()) Review comment: Yeah, that's right. Construct a KafkaPrinciple instance with params referred from principal.getType() and getName() ########## File path: clients/src/main/java/org/apache/kafka/server/authorizer/Authorizer.java ########## @@ -139,4 +150,129 @@ * @return Iterator for ACL bindings, which may be populated lazily. */ Iterable<AclBinding> acls(AclBindingFilter filter); + + /** + * Check if the caller is authorized to perform the given ACL operation on at least one + * resource of the given type. + * + * @param requestContext Request context including request resourceType, security protocol, and listener name + * @param op The ACL operation to check + * @param resourceType The resource type to check + * @return Return {@link AuthorizationResult#ALLOWED} if the caller is authorized to perform the + * given ACL operation on at least one resource of the given type. + * Return {@link AuthorizationResult#DENIED} otherwise. + */ + default AuthorizationResult authorizeByResourceType(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) { + if (resourceType == ResourceType.ANY) { + throw new IllegalArgumentException( + "Must specify a non-filter resource type for authorizeByResourceType"); + } + + if (resourceType == ResourceType.UNKNOWN) { + throw new IllegalArgumentException( + "Unknown resource type"); + } + + if (op == AclOperation.ANY) { + throw new IllegalArgumentException( + "Must specify a non-filter operation type for authorizeByResourceType"); + } + + if (op == AclOperation.UNKNOWN) { + throw new IllegalArgumentException( + "Unknown operation type"); + } + + ResourcePatternFilter resourceTypeFilter = new ResourcePatternFilter( + resourceType, null, PatternType.ANY); + AclBindingFilter aclFilter = new AclBindingFilter( + resourceTypeFilter, AccessControlEntryFilter.ANY); + + Set<String> denyLiterals = new HashSet<>(); + Set<String> denyPrefixes = new HashSet<>(); + Set<String> allowLiterals = new HashSet<>(); + Set<String> allowPrefixes = new HashSet<>(); + boolean hasWildCardAllow = false; + + for (AclBinding binding : acls(aclFilter)) { + if (!binding.entry().host().equals(requestContext.clientAddress().getHostAddress()) + && !binding.entry().host().equals("*")) + continue; + + if (!binding.entry().principal().equals(requestContext.principal().toString()) Review comment: Yeah, that's right. Construct a KafkaPrinciple instance with params referred from principal.getType() and getName() commit 89df4d7600cad4e3785d0d95624d0918efce1f44 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org