[GitHub] [kafka] d8tltanc commented on a change in pull request #9485: KAKFA-10619: Idempotent producer will get authorized once it has a WRITE access to at least one topic

Mon, 23 Nov 2020 16:47:25 -0800 


d8tltanc commented on a change in pull request #9485:
URL: https://github.com/apache/kafka/pull/9485#discussion_r529090156



##########
File path: core/src/main/scala/kafka/security/authorizer/AuthorizerWrapper.scala
##########
@@ -175,4 +179,69 @@ class AuthorizerWrapper(private[kafka] val baseAuthorizer: 
kafka.security.auth.A
   override def close(): Unit = {
     baseAuthorizer.close()
   }
+
+  override def authorizeByResourceType(requestContext: 
AuthorizableRequestContext,
+                                       op: AclOperation,
+                                       resourceType: ResourceType): 
AuthorizationResult = {
+    if (resourceType == ResourceType.ANY)
+      throw new IllegalArgumentException("Must specify a non-filter resource 
type for authorizeByResourceType")
+
+    if (resourceType == ResourceType.UNKNOWN)
+      throw new IllegalArgumentException("Unknown resource type")
+
+    if (op == AclOperation.ANY)
+      throw new IllegalArgumentException("Must specify a non-filter operation 
type for authorizeByResourceType")
+
+    if (op == AclOperation.UNKNOWN)
+      throw new IllegalArgumentException("Unknown operation type")
+
+    if (shouldAllowEveryoneIfNoAclIsFound && !denyAllResource(requestContext, 
op, resourceType)) {
+      AuthorizationResult.ALLOWED
+    } else {
+      super.authorizeByResourceType(requestContext, op, resourceType)
+    }
+  }
+
+  def denyAllResource(requestContext: AuthorizableRequestContext,
+                      op: AclOperation,
+                      resourceType: ResourceType): Boolean = {
+    val resourceTypeFilter = new ResourcePatternFilter(
+      resourceType, null, PatternType.ANY)
+    val accessControlEntry = new AccessControlEntryFilter(
+      null, null, null, AclPermissionType.DENY)
+    val aclFilter = new AclBindingFilter(resourceTypeFilter, 
accessControlEntry)
+
+    for (binding <- acls(aclFilter).asScala) {
+      if (aceMatched(requestContext, op, binding) && 
canDenyAll(binding.pattern()))
+        return true
+    }
+    false
+  }
+
+  def aceMatched(requestContext: AuthorizableRequestContext,
+                 op: AclOperation,
+                 binding: AclBinding): Boolean = {
+    (hostMatched(requestContext, binding) && principleMatched(requestContext, 
binding)

Review comment:
       Yeah. But I'd guess that the compiler will optimize for us. 
   
   commit 3906f978e62255ff266f081bf646a4b3c6b896ad 




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to