[GitHub] [kafka] cmccabe commented on a change in pull request #11806: KAFKA-13697; KRaft authorizer should support AclOperation.ALL

Fri, 25 Feb 2022 10:45:44 -0800 


cmccabe commented on a change in pull request #11806:
URL: https://github.com/apache/kafka/pull/11806#discussion_r815010107



##########
File path: 
metadata/src/test/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerTest.java
##########
@@ -250,14 +253,57 @@ public void testSimpleAuthorizations() throws Exception {
             withId(newBarAcl(ALTER_CONFIGS, ALLOW)));
         fooAcls.forEach(a -> authorizer.addAcl(a.id(), a.acl()));
         barAcls.forEach(a -> authorizer.addAcl(a.id(), a.acl()));
-        assertEquals(Collections.singletonList(ALLOWED),
+        assertEquals(singletonList(ALLOWED),
             authorizer.authorize(new MockAuthorizableRequestContext.Builder().
                 setPrincipal(new KafkaPrincipal(USER_TYPE, "bob")).build(),
-                    Collections.singletonList(newAction(READ, TOPIC, 
"foo_"))));
-        assertEquals(Collections.singletonList(ALLOWED),
+                    singletonList(newAction(READ, TOPIC, "foo_"))));
+        assertEquals(singletonList(ALLOWED),
             authorizer.authorize(new MockAuthorizableRequestContext.Builder().
                     setPrincipal(new KafkaPrincipal(USER_TYPE, 
"fred")).build(),
-                Collections.singletonList(newAction(ALTER_CONFIGS, GROUP, 
"bar"))));
+                singletonList(newAction(ALTER_CONFIGS, GROUP, "bar"))));
+    }
+
+    @Test
+    public void testTopicAclWithOperationAll() throws Exception {
+        StandardAuthorizer authorizer = new StandardAuthorizer();
+        authorizer.configure(Collections.emptyMap());
+        List<StandardAcl> acls = Arrays.asList(
+            new StandardAcl(TOPIC, "foo", LITERAL, "User:*", "*", ALL, ALLOW),
+            new StandardAcl(TOPIC, "bar", PREFIXED, "User:alice", "*", ALL, 
ALLOW),
+            new StandardAcl(TOPIC, "baz", LITERAL, "User:bob", "*", ALL, ALLOW)
+        );
+
+        acls.forEach(acl -> {
+            StandardAclWithId aclWithId = withId(acl);
+            authorizer.addAcl(aclWithId.id(), aclWithId.acl());
+        });
+
+        assertEquals(Arrays.asList(ALLOWED, ALLOWED, DENIED), 
authorizer.authorize(
+            newRequestContext("alice"),
+            Arrays.asList(
+                newAction(WRITE, TOPIC, "foo"),
+                newAction(DESCRIBE_CONFIGS, TOPIC, "bar"),
+                newAction(DESCRIBE, TOPIC, "baz"))));
+
+        assertEquals(Arrays.asList(ALLOWED, DENIED, DENIED), 
authorizer.authorize(
+            newRequestContext("bob"),
+            Arrays.asList(
+                newAction(WRITE, TOPIC, "foo"),
+                newAction(READ, TOPIC, "bar"),
+                newAction(DESCRIBE, TOPIC, "baz"))));

Review comment:
       wait, why does `DESCRIBE TOPIC baz` fail for bob given that we have:
   ```
               new StandardAcl(TOPIC, "baz", LITERAL, "User:bob", "*", ALL, 
ALLOW)
   ```
   ?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to