jolshan commented on a change in pull request #9769:
URL: https://github.com/apache/kafka/pull/9769#discussion_r611214209
##########
File path: core/src/main/scala/kafka/server/KafkaApis.scala
##########
@@ -1165,16 +1189,23 @@ class KafkaApis(val requestChannel: RequestChannel,
}
val unauthorizedForCreateTopicMetadata =
unauthorizedForCreateTopics.map(topic =>
- metadataResponseTopic(Errors.TOPIC_AUTHORIZATION_FAILED, topic,
isInternal(topic), util.Collections.emptyList()))
+ // Set topicId to zero since we will never create topic which topicId
+ metadataResponseTopic(Errors.TOPIC_AUTHORIZATION_FAILED, topic,
Uuid.ZERO_UUID, isInternal(topic), util.Collections.emptyList()))
// do not disclose the existence of topics unauthorized for Describe, so
we've not even checked if they exist or not
val unauthorizedForDescribeTopicMetadata =
// In case of all topics, don't include topics unauthorized for Describe
if ((requestVersion == 0 && (metadataRequest.topics == null ||
metadataRequest.topics.isEmpty)) || metadataRequest.isAllTopics)
Set.empty[MetadataResponseTopic]
- else
+ else if (useTopicId) {
+ // We should not return information about existence of a topic on
unauthorized error, so we return an UNKNOWN_TOPIC_ID
+ unauthorizedForDescribeTopics.map(topic =>
+ metadataResponseTopic(Errors.UNKNOWN_TOPIC_ID, null,
metadataCache.getTopicId(topic), false, util.Collections.emptyList()))
Review comment:
In the time since we last looked at this, we decided that it is ok to
acknowledge existence of the topic ID and return TOPIC_AUTHORIZATION_FAILED.
This is so the user knows it is not a retriable error. Please see
https://issues.apache.org/jira/browse/KAFKA-12394 for more details.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
