[jira] [Assigned] (KAFKA-15117) SslTransportLayerTest.testValidEndpointIdentificationCN fails with Java 20
[ https://issues.apache.org/jira/browse/KAFKA-15117?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan reassigned KAFKA-15117: - Assignee: Purshotam Chauhan > SslTransportLayerTest.testValidEndpointIdentificationCN fails with Java 20 > -- > > Key: KAFKA-15117 > URL: https://issues.apache.org/jira/browse/KAFKA-15117 > Project: Kafka > Issue Type: Bug >Reporter: Ismael Juma >Assignee: Purshotam Chauhan >Priority: Major > > > All variations fail as seen below. These tests have been disabled when run > with Java 20 for now. > {code:java} > Gradle Test Run :clients:test > Gradle Test Executor 12 > > SslTransportLayerTest > testValidEndpointIdentificationCN(Args) > [1] > tlsProtocol=TLSv1.2, useInlinePem=false FAILED > org.opentest4j.AssertionFailedError: Channel 0 was not ready after 30 > seconds ==> expected: but was: > at > app//org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151) > at > app//org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132) > at > app//org.junit.jupiter.api.AssertTrue.failNotTrue(AssertTrue.java:63) > at > app//org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:36) > at > app//org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:211) > at > app//org.apache.kafka.common.network.NetworkTestUtils.waitForChannelReady(NetworkTestUtils.java:107) > at > app//org.apache.kafka.common.network.NetworkTestUtils.checkClientConnection(NetworkTestUtils.java:70) > at > app//org.apache.kafka.common.network.SslTransportLayerTest.verifySslConfigs(SslTransportLayerTest.java:1296) > at > app//org.apache.kafka.common.network.SslTransportLayerTest.testValidEndpointIdentificationCN(SslTransportLayerTest.java:202) > org.apache.kafka.common.network.SslTransportLayerTest.testValidEndpointIdentificationCN(Args)[2] > failed, log available in > /home/ijuma/src/kafka/clients/build/reports/testOutput/org.apache.kafka.common.network.SslTransportLayerTest.testValidEndpointIdentificationCN(Args)[2].test.stdout > Gradle Test Run :clients:test > Gradle Test Executor 12 > > SslTransportLayerTest > testValidEndpointIdentificationCN(Args) > [2] > tlsProtocol=TLSv1.2, useInlinePem=true FAILED > org.opentest4j.AssertionFailedError: Channel 0 was not ready after 30 > seconds ==> expected: but was: > at > app//org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151) > at > app//org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132) > at > app//org.junit.jupiter.api.AssertTrue.failNotTrue(AssertTrue.java:63) > at > app//org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:36) > at > app//org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:211) > at > app//org.apache.kafka.common.network.NetworkTestUtils.waitForChannelReady(NetworkTestUtils.java:107) > at > app//org.apache.kafka.common.network.NetworkTestUtils.checkClientConnection(NetworkTestUtils.java:70) > at > app//org.apache.kafka.common.network.SslTransportLayerTest.verifySslConfigs(SslTransportLayerTest.java:1296) > at > app//org.apache.kafka.common.network.SslTransportLayerTest.testValidEndpointIdentificationCN(SslTransportLayerTest.java:202) > org.apache.kafka.common.network.SslTransportLayerTest.testValidEndpointIdentificationCN(Args)[3] > failed, log available in > /home/ijuma/src/kafka/clients/build/reports/testOutput/org.apache.kafka.common.network.SslTransportLayerTest.testValidEndpointIdentificationCN(Args)[3].test.stdout > Gradle Test Run :clients:test > Gradle Test Executor 12 > > SslTransportLayerTest > testValidEndpointIdentificationCN(Args) > [3] > tlsProtocol=TLSv1.3, useInlinePem=false FAILED > org.opentest4j.AssertionFailedError: Channel 0 was not ready after 30 > seconds ==> expected: but was: > at > app//org.junit.jupiter.api.AssertionFailureBuilder.build(AssertionFailureBuilder.java:151) > at > app//org.junit.jupiter.api.AssertionFailureBuilder.buildAndThrow(AssertionFailureBuilder.java:132) > at > app//org.junit.jupiter.api.AssertTrue.failNotTrue(AssertTrue.java:63) > at > app//org.junit.jupiter.api.AssertTrue.assertTrue(AssertTrue.java:36) > at > app//org.junit.jupiter.api.Assertions.assertTrue(Assertions.java:211) > at > app//org.apache.kafka.common.network.NetworkTestUtils.waitForChannelReady(NetworkTestUtils.java:107) > at > app//org.apache.kafka.common.network.NetworkTestUtils.checkClientConnection(NetworkTestUtils.java:70) > at >
[jira] [Resolved] (KAFKA-14828) Remove R/W lock from StandardAuthorizer
[ https://issues.apache.org/jira/browse/KAFKA-14828?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan resolved KAFKA-14828. --- Fix Version/s: 3.6.0 Reviewer: Manikumar Reddy Resolution: Fixed > Remove R/W lock from StandardAuthorizer > --- > > Key: KAFKA-14828 > URL: https://issues.apache.org/jira/browse/KAFKA-14828 > Project: Kafka > Issue Type: Improvement >Reporter: Purshotam Chauhan >Assignee: Purshotam Chauhan >Priority: Major > Fix For: 3.6.0 > > > Currently, StandardAuthorizer uses R/W locks to keep the data consistent > between reads. The intent of this Jira is to remove the R/W locks by using > the persistent data structures library like - > [pcollections|https://github.com/hrldcpr/pcollections], > [Paguro|https://github.com/GlenKPeterson/Paguro] and > [Vavr|https://github.com/vavr-io/vavr] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (KAFKA-14827) Support for StandardAuthorizer in Benchmark
[ https://issues.apache.org/jira/browse/KAFKA-14827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan resolved KAFKA-14827. --- Fix Version/s: 3.5.0 Reviewer: Manikumar Reddy Resolution: Fixed > Support for StandardAuthorizer in Benchmark > --- > > Key: KAFKA-14827 > URL: https://issues.apache.org/jira/browse/KAFKA-14827 > Project: Kafka > Issue Type: Improvement >Reporter: Purshotam Chauhan >Assignee: Purshotam Chauhan >Priority: Major > Fix For: 3.5.0 > > > Support for StandardAuthorizer in Benchmark -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Closed] (KAFKA-14827) Support for StandardAuthorizer in Benchmark
[ https://issues.apache.org/jira/browse/KAFKA-14827?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan closed KAFKA-14827. - > Support for StandardAuthorizer in Benchmark > --- > > Key: KAFKA-14827 > URL: https://issues.apache.org/jira/browse/KAFKA-14827 > Project: Kafka > Issue Type: Improvement >Reporter: Purshotam Chauhan >Assignee: Purshotam Chauhan >Priority: Major > Fix For: 3.5.0 > > > Support for StandardAuthorizer in Benchmark -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-14828) Remove R/W lock from StandardAuthorizer
Purshotam Chauhan created KAFKA-14828: - Summary: Remove R/W lock from StandardAuthorizer Key: KAFKA-14828 URL: https://issues.apache.org/jira/browse/KAFKA-14828 Project: Kafka Issue Type: Improvement Reporter: Purshotam Chauhan Assignee: Purshotam Chauhan Currently, StandardAuthorizer uses R/W locks to keep the data consistent between reads. The intent of this Jira is to remove the R/W locks by using the persistent data structures library like - [pcollections|https://github.com/hrldcpr/pcollections], [Paguro|https://github.com/GlenKPeterson/Paguro] and [Vavr|[https://github.com/vavr-io/vavr].] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KAFKA-14828) Remove R/W lock from StandardAuthorizer
[ https://issues.apache.org/jira/browse/KAFKA-14828?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan updated KAFKA-14828: -- Description: Currently, StandardAuthorizer uses R/W locks to keep the data consistent between reads. The intent of this Jira is to remove the R/W locks by using the persistent data structures library like - [pcollections|https://github.com/hrldcpr/pcollections], [Paguro|https://github.com/GlenKPeterson/Paguro] and [Vavr|https://github.com/vavr-io/vavr] (was: Currently, StandardAuthorizer uses R/W locks to keep the data consistent between reads. The intent of this Jira is to remove the R/W locks by using the persistent data structures library like - [pcollections|https://github.com/hrldcpr/pcollections], [Paguro|https://github.com/GlenKPeterson/Paguro] and [Vavr|[https://github.com/vavr-io/vavr].] ) > Remove R/W lock from StandardAuthorizer > --- > > Key: KAFKA-14828 > URL: https://issues.apache.org/jira/browse/KAFKA-14828 > Project: Kafka > Issue Type: Improvement >Reporter: Purshotam Chauhan >Assignee: Purshotam Chauhan >Priority: Major > > Currently, StandardAuthorizer uses R/W locks to keep the data consistent > between reads. The intent of this Jira is to remove the R/W locks by using > the persistent data structures library like - > [pcollections|https://github.com/hrldcpr/pcollections], > [Paguro|https://github.com/GlenKPeterson/Paguro] and > [Vavr|https://github.com/vavr-io/vavr] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-14827) Support for StandardAuthorizer in Benchmark
Purshotam Chauhan created KAFKA-14827: - Summary: Support for StandardAuthorizer in Benchmark Key: KAFKA-14827 URL: https://issues.apache.org/jira/browse/KAFKA-14827 Project: Kafka Issue Type: Improvement Reporter: Purshotam Chauhan Assignee: Purshotam Chauhan Support for StandardAuthorizer in Benchmark -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan resolved KAFKA-14435. --- Fix Version/s: 3.3.2 3.4.0 Resolution: Fixed > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > - > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft >Affects Versions: 3.2.0, 3.3.0, 3.2.1, 3.2.2, 3.2.3, 3.3.1 >Reporter: Purshotam Chauhan >Assignee: Purshotam Chauhan >Priority: Critical > Fix For: 3.3.2, 3.4.0 > > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar"; > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan updated KAFKA-14435: -- Affects Version/s: 3.3.1 3.3.0 > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > - > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft >Affects Versions: 3.2.0, 3.3.0, 3.2.1, 3.2.2, 3.2.3, 3.3.1 >Reporter: Purshotam Chauhan >Assignee: Purshotam Chauhan >Priority: Critical > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar"; > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-14733) Update AclAuthorizerTest to run tests for both zk and kraft mode
Purshotam Chauhan created KAFKA-14733: - Summary: Update AclAuthorizerTest to run tests for both zk and kraft mode Key: KAFKA-14733 URL: https://issues.apache.org/jira/browse/KAFKA-14733 Project: Kafka Issue Type: Improvement Reporter: Purshotam Chauhan Assignee: Purshotam Chauhan Currently, we have two test classes AclAuthorizerTest and StandardAuthorizerTest that are used exclusively for zk and kraft mode. But AclAuthorizerTest has a lot of tests covering various scenarios. We should change AclAuthorizerTest to run for both zk and kraft modes so as to keep parity between both modes. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan updated KAFKA-14435: -- Affects Version/s: 3.2.3 3.2.2 3.2.1 3.2.0 > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > - > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft >Affects Versions: 3.2.0, 3.2.1, 3.2.2, 3.2.3 >Reporter: Purshotam Chauhan >Assignee: Purshotam Chauhan >Priority: Critical > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar"; > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642497#comment-17642497 ] Purshotam Chauhan edited comment on KAFKA-14435 at 12/2/22 2:12 PM: This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the `if` block [here|https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523]. was (Author: JIRAUSER298490): This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the `if` clause [here|https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523]. > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > - > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft >Reporter: Purshotam Chauhan >Priority: Critical > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar"; > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Purshotam Chauhan reassigned KAFKA-14435: - Assignee: Purshotam Chauhan > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > - > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft >Reporter: Purshotam Chauhan >Assignee: Purshotam Chauhan >Priority: Critical > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar"; > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642497#comment-17642497 ] Purshotam Chauhan edited comment on KAFKA-14435 at 12/2/22 1:21 PM: This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the `if` clause [here|https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523]. was (Author: JIRAUSER298490): This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the `if` clause [here.|#L523].] > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > - > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft >Reporter: Purshotam Chauhan >Priority: Critical > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar"; > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642497#comment-17642497 ] Purshotam Chauhan edited comment on KAFKA-14435 at 12/2/22 1:20 PM: This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the `if` clause [here.|#L523].] was (Author: JIRAUSER298490): This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the if clause [here|[https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523].] > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > - > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft >Reporter: Purshotam Chauhan >Priority: Critical > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar"; > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
[ https://issues.apache.org/jira/browse/KAFKA-14435?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17642497#comment-17642497 ] Purshotam Chauhan commented on KAFKA-14435: --- This can be fixed by adding a flag `noResourceAcls` in `MatchingAclBuilder` class. We can set this flag inside the if clause [here|[https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L523].] > Kraft: StandardAuthorizer allowing a non-authorized user when > `allow.everyone.if.no.acl.found` is enabled > - > > Key: KAFKA-14435 > URL: https://issues.apache.org/jira/browse/KAFKA-14435 > Project: Kafka > Issue Type: Bug > Components: kraft >Reporter: Purshotam Chauhan >Priority: Critical > > When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow > everyone only if there is no ACL present for a particular resource. But if > there are ACL present for the resource, then it shouldn't be allowing > everyone. > StandardAuthorizer is allowing the principals for which no ACLs are defined > even when the resource has other ACLs. > > This behavior can be validated with the following test case: > > {code:java} > @Test > public void testAllowEveryoneConfig() throws Exception { > StandardAuthorizer authorizer = new StandardAuthorizer(); > HashMap configs = new HashMap<>(); > configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); > configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); > authorizer.configure(configs); > authorizer.start(new > AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); > authorizer.completeInitialLoad(); > // Allow User:Alice to read topic "foobar" > List acls = asList( > withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", > WILDCARD, READ, ALLOW)) > ); > acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); > // User:Bob shouldn't be allowed to read topic "foobar" > assertEquals(singletonList(DENIED), > authorizer.authorize(new MockAuthorizableRequestContext.Builder(). > setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), > singletonList(newAction(READ, TOPIC, "foobar"; > } > {code} > > In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KAFKA-14435) Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled
Purshotam Chauhan created KAFKA-14435: - Summary: Kraft: StandardAuthorizer allowing a non-authorized user when `allow.everyone.if.no.acl.found` is enabled Key: KAFKA-14435 URL: https://issues.apache.org/jira/browse/KAFKA-14435 Project: Kafka Issue Type: Bug Components: kraft Reporter: Purshotam Chauhan When `allow.everyone.if.no.acl.found` is enabled, the authorizer should allow everyone only if there is no ACL present for a particular resource. But if there are ACL present for the resource, then it shouldn't be allowing everyone. StandardAuthorizer is allowing the principals for which no ACLs are defined even when the resource has other ACLs. This behavior can be validated with the following test case: {code:java} @Test public void testAllowEveryoneConfig() throws Exception { StandardAuthorizer authorizer = new StandardAuthorizer(); HashMap configs = new HashMap<>(); configs.put(SUPER_USERS_CONFIG, "User:alice;User:chris"); configs.put(ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG, "true"); authorizer.configure(configs); authorizer.start(new AuthorizerTestServerInfo(Collections.singletonList(PLAINTEXT))); authorizer.completeInitialLoad(); // Allow User:Alice to read topic "foobar" List acls = asList( withId(new StandardAcl(TOPIC, "foobar", LITERAL, "User:Alice", WILDCARD, READ, ALLOW)) ); acls.forEach(acl -> authorizer.addAcl(acl.id(), acl.acl())); // User:Bob shouldn't be allowed to read topic "foobar" assertEquals(singletonList(DENIED), authorizer.authorize(new MockAuthorizableRequestContext.Builder(). setPrincipal(new KafkaPrincipal(USER_TYPE, "Bob")).build(), singletonList(newAction(READ, TOPIC, "foobar"; } {code} In the above test, `User:Bob` should be DENIED but the above test case fails. -- This message was sent by Atlassian Jira (v8.20.10#820010)