Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-10 Thread via GitHub 


jolshan merged PR #15837:
URL: https://github.com/apache/kafka/pull/15837


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-08 Thread via GitHub 


jolshan commented on code in PR #15837:
URL: https://github.com/apache/kafka/pull/15837#discussion_r1594302492


##
core/src/test/scala/unit/kafka/server/KafkaApisTest.scala:
##
@@ -2822,6 +2822,31 @@ class KafkaApisTest extends Logging {
   () => kafkaApis.handleWriteTxnMarkersRequest(null, 
RequestLocal.withThreadConfinedCaching))
   }
 
+  @Test
+  def requiredAclsNotPresentWriteTxnMarkersThrowsAuthorizationException(): 
Unit = {

Review Comment:
   Did we make this modification?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-08 Thread via GitHub 


jolshan commented on code in PR #15837:
URL: https://github.com/apache/kafka/pull/15837#discussion_r1594302111


##
core/src/test/scala/unit/kafka/server/KafkaApisTest.scala:
##
@@ -3036,15 +3061,32 @@ class KafkaApisTest extends Logging {
 assertEquals(expectedErrors, markersResponse.errorsByProducerId.get(1L))
   }
 
-  @Test
-  def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion(): Unit = {
+  @ParameterizedTest
+  @ValueSource(strings = Array("ALTER", "CLUSTER_ACTION"))
+  def 
shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion(allowedAclOperation: 
String): Unit = {
 val topicPartition = new TopicPartition("t", 0)
 val request = createWriteTxnMarkersRequest(asList(topicPartition))._2
 when(replicaManager.getMagic(topicPartition))
   .thenReturn(Some(RecordBatch.MAGIC_VALUE_V2))
 
 val requestLocal = RequestLocal.withThreadConfinedCaching
-kafkaApis = createKafkaApis()
+
+// Allowing WriteTxnMarkers API with the help of AlterCluster ACL.

Review Comment:
   nit: should we include both acls?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-08 Thread via GitHub 


sidyag commented on code in PR #15837:
URL: https://github.com/apache/kafka/pull/15837#discussion_r1593693523


##
core/src/test/scala/unit/kafka/server/KafkaApisTest.scala:
##
@@ -3037,14 +3062,71 @@ class KafkaApisTest extends Logging {
   }
 
   @Test
-  def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion(): Unit = {
+  def 
shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion_allowedWithAlterCluster():
 Unit = {

Review Comment:
   Made the changes.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-07 Thread via GitHub 


jolshan commented on code in PR #15837:
URL: https://github.com/apache/kafka/pull/15837#discussion_r1593105981


##
core/src/test/scala/unit/kafka/server/KafkaApisTest.scala:
##
@@ -3037,14 +3062,71 @@ class KafkaApisTest extends Logging {
   }
 
   @Test
-  def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion(): Unit = {
+  def 
shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion_allowedWithAlterCluster():
 Unit = {

Review Comment:
   nit: we typically don't use underscores in method names like this. Can we 
stick to camel case here?
   Also can we parameterize this test?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-07 Thread via GitHub 


jolshan commented on PR #15837:
URL: https://github.com/apache/kafka/pull/15837#issuecomment-2098727340

   Sorry I was out of town (at KSB). I will try to take a look today, but 
thanks Luke for approving as well :) 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-07 Thread via GitHub 


sidyag commented on code in PR #15837:
URL: https://github.com/apache/kafka/pull/15837#discussion_r1592106849


##
core/src/test/scala/unit/kafka/server/KafkaApisTest.scala:
##
@@ -2822,6 +2822,31 @@ class KafkaApisTest extends Logging {
   () => kafkaApis.handleWriteTxnMarkersRequest(null, 
RequestLocal.withThreadConfinedCaching))
   }
 
+  @Test
+  def requiredAclsNotPresentWriteTxnMarkersThrowsAuthorizationException(): 
Unit = {

Review Comment:
   That is the happy case path verified by existing tests. As mocks are not 
present there, by default the CLUSTER_ACTION check doesn't throw an exception, 
and the ALTER check returns false.
   
   I can modify the existing tests to make that explicit and duplicate it to 
test for the second scenario.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-07 Thread via GitHub 


sidyag commented on code in PR #15837:
URL: https://github.com/apache/kafka/pull/15837#discussion_r1592106849


##
core/src/test/scala/unit/kafka/server/KafkaApisTest.scala:
##
@@ -2822,6 +2822,31 @@ class KafkaApisTest extends Logging {
   () => kafkaApis.handleWriteTxnMarkersRequest(null, 
RequestLocal.withThreadConfinedCaching))
   }
 
+  @Test
+  def requiredAclsNotPresentWriteTxnMarkersThrowsAuthorizationException(): 
Unit = {

Review Comment:
   That is the happy case path verified by existing tests. As mocks are not 
present there, by default the CLUSTER_ACTION check doesn't throw an exception, 
and the ALTER check returns false.
   
   I can modify the existing tests to make that explicit.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-06 Thread via GitHub 


showuon commented on code in PR #15837:
URL: https://github.com/apache/kafka/pull/15837#discussion_r1591749069


##
core/src/test/scala/unit/kafka/server/KafkaApisTest.scala:
##
@@ -2822,6 +2822,31 @@ class KafkaApisTest extends Logging {
   () => kafkaApis.handleWriteTxnMarkersRequest(null, 
RequestLocal.withThreadConfinedCaching))
   }
 
+  @Test
+  def requiredAclsNotPresentWriteTxnMarkersThrowsAuthorizationException(): 
Unit = {

Review Comment:
   For this test, it can pass without this change. Maybe we need a test to 
verify it won't throw exception when alter cluster is allowed, and 
clusterAction is denied, it won't throw exception. WDYT?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-01 Thread via GitHub 


sidyag commented on PR #15837:
URL: https://github.com/apache/kafka/pull/15837#issuecomment-2088272313

   > The only comment is that we should update 1) the documentation in 
docs/security.html#operations_resources_and_protocols to mention this change 2) 
the release notes of 3.8 once they are created. I am happy for 1) to be done 
either as part of this pull request or as a follow-up one 
   
   I have added the documentation in 
docs/security.html#operations_resources_and_protocols


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-01 Thread via GitHub 


clolov commented on PR #15837:
URL: https://github.com/apache/kafka/pull/15837#issuecomment-2088221738

   I looked over the failures in the build, but the test failures appear to be 
unrelated to this change


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-01 Thread via GitHub 


clolov commented on PR #15837:
URL: https://github.com/apache/kafka/pull/15837#issuecomment-2088220856

   Heya @jolshan since you cast a vote on the KIP would you have some time to 
review this pull request as well?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]

2024-05-01 Thread via GitHub 


clolov commented on PR #15837:
URL: https://github.com/apache/kafka/pull/15837#issuecomment-2088220267

   The only comment is that we should update 1) the documentation in 
docs/security.html#operations_resources_and_protocols to mention this change 2) 
the release notes of 3.8 once they are created. I am happy for 1) to be done 
either as part of this pull request or as a follow-up one  


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org