[GitHub] [kafka] d8tltanc commented on a change in pull request #9485: KAKFA-10619: Idempotent producer will get authorized once it has a WRITE access to at least one topic

Mon, 23 Nov 2020 14:16:29 -0800 


d8tltanc commented on a change in pull request #9485:
URL: https://github.com/apache/kafka/pull/9485#discussion_r529031043



##########
File path: 
clients/src/main/java/org/apache/kafka/server/authorizer/Authorizer.java
##########
@@ -139,4 +150,129 @@
      * @return Iterator for ACL bindings, which may be populated lazily.
      */
     Iterable<AclBinding> acls(AclBindingFilter filter);
+
+    /**
+     * Check if the caller is authorized to perform the given ACL operation on 
at least one
+     * resource of the given type.
+     *
+     * @param requestContext Request context including request resourceType, 
security protocol, and listener name
+     * @param op             The ACL operation to check
+     * @param resourceType   The resource type to check
+     * @return               Return {@link AuthorizationResult#ALLOWED} if the 
caller is authorized to perform the
+     *                       given ACL operation on at least one resource of 
the given type.
+     *                       Return {@link AuthorizationResult#DENIED} 
otherwise.
+     */
+    default AuthorizationResult 
authorizeByResourceType(AuthorizableRequestContext requestContext, AclOperation 
op, ResourceType resourceType) {
+        if (resourceType == ResourceType.ANY) {
+            throw new IllegalArgumentException(
+                "Must specify a non-filter resource type for 
authorizeByResourceType");
+        }
+
+        if (resourceType == ResourceType.UNKNOWN) {
+            throw new IllegalArgumentException(
+                "Unknown resource type");
+        }
+
+        if (op == AclOperation.ANY) {
+            throw new IllegalArgumentException(
+                "Must specify a non-filter operation type for 
authorizeByResourceType");
+        }
+
+        if (op == AclOperation.UNKNOWN) {
+            throw new IllegalArgumentException(
+                "Unknown operation type");
+        }
+
+        ResourcePatternFilter resourceTypeFilter = new ResourcePatternFilter(
+            resourceType, null, PatternType.ANY);
+        AclBindingFilter aclFilter = new AclBindingFilter(
+            resourceTypeFilter, AccessControlEntryFilter.ANY);
+
+        Set<String> denyLiterals = new HashSet<>();
+        Set<String> denyPrefixes = new HashSet<>();
+        Set<String> allowLiterals = new HashSet<>();
+        Set<String> allowPrefixes = new HashSet<>();
+        boolean hasWildCardAllow = false;
+
+        for (AclBinding binding : acls(aclFilter)) {
+            if 
(!binding.entry().host().equals(requestContext.clientAddress().getHostAddress())
+                    && !binding.entry().host().equals("*"))
+                continue;
+
+            if 
(!binding.entry().principal().equals(requestContext.principal().toString())
+                    && !binding.entry().principal().equals("User:*"))
+                continue;
+
+            if (binding.entry().operation() != op
+                    && binding.entry().operation() != AclOperation.ALL)
+                continue;
+
+            if (binding.entry().permissionType() == AclPermissionType.DENY) {
+                switch (binding.pattern().patternType()) {
+                    case LITERAL:
+                        if 
(binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE))
+                            return AuthorizationResult.DENIED;
+                            denyLiterals.add(binding.pattern().name());
+                        break;
+                    case PREFIXED:
+                        denyPrefixes.add(binding.pattern().name());
+                        break;
+                }
+                continue;
+            }
+
+            if (binding.entry().permissionType() != AclPermissionType.ALLOW)
+                continue;
+
+            switch (binding.pattern().patternType()) {
+                case LITERAL:
+                    if 
(binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) {
+                        hasWildCardAllow = true;
+                        continue;
+                    }
+                    allowLiterals.add(binding.pattern().name());
+                    break;
+                case PREFIXED:
+                    allowPrefixes.add(binding.pattern().name());
+                    break;
+            }
+        }
+
+        if (hasWildCardAllow) {
+            return AuthorizationResult.ALLOWED;
+        }
+
+        for (String allowPrefix : allowPrefixes) {
+            StringBuilder sb = new StringBuilder();
+            boolean hasDominatedDeny = false;
+            for (char ch : allowPrefix.toCharArray()) {
+                sb.append(ch);
+                if (denyPrefixes.contains(sb.toString())) {
+                    hasDominatedDeny = true;
+                    break;
+                }
+            }
+            if (!hasDominatedDeny)
+                return AuthorizationResult.ALLOWED;
+        }
+
+        for (String allowLiteral : allowLiterals) {
+            if (denyLiterals.contains(allowLiteral))
+                continue;
+            StringBuilder sb = new StringBuilder();
+            boolean hasDominatedDeny = false;
+            for (char ch : allowLiteral.toCharArray()) {

Review comment:
       Yes. Using an ArrayList to group allow-literals & allow-prefixes in 
order to deduplicate the logic using a loop
   commit 188536ad8df13fc327008e59c9787ad2230a7186




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to