d8tltanc commented on a change in pull request #9485:
URL: https://github.com/apache/kafka/pull/9485#discussion_r540655651
##########
File path: core/src/main/scala/kafka/security/authorizer/AuthorizerWrapper.scala
##########
@@ -175,4 +181,32 @@ class AuthorizerWrapper(private[kafka] val baseAuthorizer:
kafka.security.auth.A
override def close(): Unit = {
baseAuthorizer.close()
}
+
+ override def authorizeByResourceType(requestContext:
AuthorizableRequestContext,
+ op: AclOperation,
+ resourceType: ResourceType):
AuthorizationResult = {
+ SecurityUtils.authorizeByResourceTypeCheckArgs(op, resourceType)
+
+ if (denyAllResource(requestContext, op, resourceType)) {
+ AuthorizationResult.DENIED
+ } else if (shouldAllowEveryoneIfNoAclIsFound) {
+ AuthorizationResult.ALLOWED
+ } else {
+ super.authorizeByResourceType(requestContext, op, resourceType)
+ }
+ }
+
+ private def denyAllResource(requestContext: AuthorizableRequestContext,
+ op: AclOperation,
+ resourceType: ResourceType): Boolean = {
+ val resourceTypeFilter = new ResourcePatternFilter(
+ resourceType, null, PatternType.ANY)
+ val principal = new
KafkaPrincipal(requestContext.principal.getPrincipalType,
requestContext.principal.getName)
+ val accessControlEntry = new AccessControlEntryFilter(
+ principal.toString, requestContext.clientAddress().getHostAddress, op,
AclPermissionType.DENY)
Review comment:
Good catch. commit 8263bd319f63d39808f90129db55427b98385dd4
Since it's a bit hard to test `AllowAnyoneIfNoAclFound` and many other
logics in the integration test, I added a new test class
`AuthorizerWrapperTest`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
