[GitHub] [kafka] d8tltanc commented on a change in pull request #9485: KAKFA-10619: Idempotent producer will get authorized once it has a WRITE access to at least one topic

Mon, 14 Dec 2020 06:54:55 -0800 


d8tltanc commented on a change in pull request #9485:
URL: https://github.com/apache/kafka/pull/9485#discussion_r540418386



##########
File path: core/src/main/scala/kafka/security/authorizer/AuthorizerWrapper.scala
##########
@@ -71,15 +73,19 @@ object AuthorizerWrapper {
   }
 
   def convertToResource(resourcePattern: ResourcePattern): Resource = {
-    Resource(ResourceType.fromJava(resourcePattern.resourceType), 
resourcePattern.name, resourcePattern.patternType)
+    Resource(ResourceTypeLegacy.fromJava(resourcePattern.resourceType), 
resourcePattern.name, resourcePattern.patternType)
   }
 }
 
 @deprecated("Use kafka.security.authorizer.AclAuthorizer", "Since 2.5")
 class AuthorizerWrapper(private[kafka] val baseAuthorizer: 
kafka.security.auth.Authorizer) extends Authorizer {
 
+  var shouldAllowEveryoneIfNoAclIsFound = false
+
   override def configure(configs: util.Map[String, _]): Unit = {
     baseAuthorizer.configure(configs)
+    shouldAllowEveryoneIfNoAclIsFound = configs.asScala.get(
+      
AclAuthorizer.AllowEveryoneIfNoAclIsFoundProp).exists(_.toString.toBoolean)

Review comment:
       Given that we probably don't want to change the deprecated Authorizer 
interface, I can only think of one way to achieve this:
   
   Besides checking if the `AllowEveryoneIfNoAclIsFoundProp` exists and if it 
equals to `true`, I added another check to authorize on a hardcoded session, 
operation, and resource.
   
   Since configure() will be called immediately after the authorizer 
instantiation, it's guaranteed that no ACLs would exist when we do this check. 
   
   override def configure(configs: util.Map[String, _]): Unit = {
   ..baseAuthorizer.configure(configs)
   ....shouldAllowEveryoneIfNoAclIsFound = (configs.asScala.get(
   
......AclAuthorizer.AllowEveryoneIfNoAclIsFoundProp).exists(_.toString.toBoolean)
   ........&& baseAuthorizer.authorize(
   ..........new Session(KafkaPrincipal.ANONYMOUS, 
InetAddress.getByName("1.2.3.4")),
   ............Read, new Resource(Topic, "hi", PatternType.LITERAL)))
   }
   
   commit 2ed79a0a7788f8841475badfd1c26adf0eb3435c




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to