d8tltanc commented on a change in pull request #9485: URL: https://github.com/apache/kafka/pull/9485#discussion_r540655651
########## File path: core/src/main/scala/kafka/security/authorizer/AuthorizerWrapper.scala ########## @@ -175,4 +181,32 @@ class AuthorizerWrapper(private[kafka] val baseAuthorizer: kafka.security.auth.A override def close(): Unit = { baseAuthorizer.close() } + + override def authorizeByResourceType(requestContext: AuthorizableRequestContext, + op: AclOperation, + resourceType: ResourceType): AuthorizationResult = { + SecurityUtils.authorizeByResourceTypeCheckArgs(op, resourceType) + + if (denyAllResource(requestContext, op, resourceType)) { + AuthorizationResult.DENIED + } else if (shouldAllowEveryoneIfNoAclIsFound) { + AuthorizationResult.ALLOWED + } else { + super.authorizeByResourceType(requestContext, op, resourceType) + } + } + + private def denyAllResource(requestContext: AuthorizableRequestContext, + op: AclOperation, + resourceType: ResourceType): Boolean = { + val resourceTypeFilter = new ResourcePatternFilter( + resourceType, null, PatternType.ANY) + val principal = new KafkaPrincipal(requestContext.principal.getPrincipalType, requestContext.principal.getName) + val accessControlEntry = new AccessControlEntryFilter( + principal.toString, requestContext.clientAddress().getHostAddress, op, AclPermissionType.DENY) Review comment: Good catch. commit 8263bd319f63d39808f90129db55427b98385dd4 Since it's a bit hard to test `AllowAnyoneIfNoAclFound` and many other logics in the integration test, I added a new test class `AuthorizerWrapperTest`. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org