[GitHub] [kafka] d8tltanc commented on a change in pull request #9485: KAKFA-10619: Idempotent producer will get authorized once it has a WRITE access to at least one topic

Thu, 17 Dec 2020 21:40:48 -0800 


d8tltanc commented on a change in pull request #9485:
URL: https://github.com/apache/kafka/pull/9485#discussion_r545584783



##########
File path: core/src/main/scala/kafka/security/authorizer/AclAuthorizer.scala
##########
@@ -304,6 +309,137 @@ class AclAuthorizer extends Authorizer with Logging {
     if (zkClient != null) zkClient.close()
   }
 
+  override def authorizeByResourceType(requestContext: 
AuthorizableRequestContext,
+                                       op: AclOperation,
+                                       resourceType: ResourceType): 
AuthorizationResult = {
+    SecurityUtils.authorizeByResourceTypeCheckArgs(op, resourceType)
+
+    val principal = new KafkaPrincipal(
+      requestContext.principal().getPrincipalType,
+      requestContext.principal().getName)
+
+    if (isSuperUser(principal))
+      return AuthorizationResult.ALLOWED
+
+    val principalStr = principal.toString
+
+    val host = requestContext.clientAddress().getHostAddress
+    val action = new Action(op, new ResourcePattern(resourceType, "NONE", 
PatternType.UNKNOWN), 0, true, true)
+
+    val denyLiterals = matchingResources(
+      principalStr, host, op, AclPermissionType.DENY, resourceType, 
PatternType.LITERAL)
+
+    if (denyAll(denyLiterals)) {
+      logAuditMessage(requestContext, action, authorized = false)
+      return AuthorizationResult.DENIED
+    }
+
+    if (shouldAllowEveryoneIfNoAclIsFound) {
+      logAuditMessage(requestContext, action, authorized = true)
+      return AuthorizationResult.ALLOWED
+    }
+
+    val denyPrefixes = matchingResources(
+      principalStr, host, op, AclPermissionType.DENY, resourceType, 
PatternType.PREFIXED)
+
+    if (denyLiterals.isEmpty && denyPrefixes.isEmpty) {
+      if (hasMatchingResources(principalStr, host, op, 
AclPermissionType.ALLOW, resourceType, PatternType.PREFIXED)
+          || hasMatchingResources(principalStr, host, op, 
AclPermissionType.ALLOW, resourceType, PatternType.LITERAL)) {
+        logAuditMessage(requestContext, action, authorized = true)
+        return AuthorizationResult.ALLOWED
+      } else {
+        logAuditMessage(requestContext, action, authorized = false)
+        return AuthorizationResult.DENIED
+      }
+    }
+
+    val allowLiterals = matchingResources(
+      principalStr, host, op, AclPermissionType.ALLOW, resourceType, 
PatternType.LITERAL)
+    val allowPrefixes = matchingResources(
+      principalStr, host, op, AclPermissionType.ALLOW, resourceType, 
PatternType.PREFIXED)
+
+    if (allowAny(allowLiterals, allowPrefixes, denyLiterals, denyPrefixes)) {
+      logAuditMessage(requestContext, action, authorized = true)
+      return AuthorizationResult.ALLOWED
+    }
+
+    logAuditMessage(requestContext, action, authorized = false)
+    AuthorizationResult.DENIED
+  }
+
+  def matchingResources(principal: String, host: String, op: AclOperation, 
permission: AclPermissionType,
+                        resourceType: ResourceType, patternType: PatternType): 
List[immutable.HashSet[String]] = {
+    var matched = List[immutable.HashSet[String]]()
+    for (p <- Set(principal, AclEntry.WildcardPrincipalString)) {
+      for (h <- Set(host, AclEntry.WildcardHost)) {
+        for (o <- Set(op, AclOperation.ALL)) {
+          val resourceIndex = new ResourceTypeKey(
+            new AccessControlEntry(p, h, o, permission), resourceType, 
patternType)
+          resourceCache.get(resourceIndex) match {

Review comment:
       commit b6a766b

##########
File path: 
core/src/test/scala/unit/kafka/security/authorizer/AuthorizerInterfaceDefaultTest.scala
##########
@@ -0,0 +1,99 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package kafka.security.authorizer
+
+import java.util.concurrent.CompletionStage
+import java.{lang, util}
+
+import kafka.server.KafkaConfig
+import kafka.utils.TestUtils
+import kafka.zk.ZooKeeperTestHarness
+import kafka.zookeeper.ZooKeeperClient
+import org.apache.kafka.common.Endpoint
+import org.apache.kafka.common.acl._
+import org.apache.kafka.common.utils.Time
+import org.apache.kafka.server.authorizer._
+import org.junit.{After, Before}
+
+class AuthorizerInterfaceDefaultTest extends ZooKeeperTestHarness with 
BaseAuthorizerTest {
+
+  private val interfaceDefaultAuthorizer = new DelegateAuthorizer
+
+  override def authorizer: Authorizer = interfaceDefaultAuthorizer
+
+  @Before
+  override def setUp(): Unit = {
+    super.setUp()
+
+    val authorizers = Seq(interfaceDefaultAuthorizer.authorizer)
+
+    // Increase maxUpdateRetries to avoid transient failures
+    authorizers.foreach(a => a.maxUpdateRetries = Int.MaxValue)
+
+    val props = TestUtils.createBrokerConfig(0, zkConnect)
+    props.put(AclAuthorizer.SuperUsersProp, superUsers)
+
+    config = KafkaConfig.fromProps(props)
+    authorizers.foreach(a => a.configure(config.originals))
+
+    zooKeeperClient = new ZooKeeperClient(zkConnect, zkSessionTimeout, 
zkConnectionTimeout, zkMaxInFlightRequests,
+      Time.SYSTEM, "kafka.test", "AuthorizerInterfaceDefaultTest")
+  }
+
+  @After
+  override def tearDown(): Unit = {
+    val authorizers = Seq(interfaceDefaultAuthorizer)
+    authorizers.foreach(a => {
+      a.close()
+    })

Review comment:
       Yes. commit b6a766b

##########
File path: 
core/src/test/scala/unit/kafka/security/authorizer/AclAuthorizerTest.scala
##########
@@ -988,6 +980,30 @@ class AclAuthorizerTest extends ZooKeeperTestHarness {
     }
   }
 
+  @Test
+  def testAuthorizeByResourceTypeNoAclFoundOverride(): Unit = {
+    testAuthorizeByResourceTypeNoAclFoundOverride(aclAuthorizer)
+  }
+
+  private def testAuthorizeByResourceTypeNoAclFoundOverride(authorizer: 
Authorizer): Unit = {

Review comment:
       Yes. commit b6a766b




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to