THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
/** * Check if the caller is authorized to perform the given ACL operation on at least one * resource of the given type. * * @param1. requestContextFilter Requestout contextall includingthe requestresource resourceType,pattern securitycorresponding protocol,to andthe listenerrequestContext, nameAclOperation, * @param op and ResourceType * 2. If wildcard deny Theexists, ACLreturn operationdeny to checkdirectly * @param3. resourceTypeFor any literal Theallowed resource, type if there's no dominant literal *denied @returnresource, and * no dominant prefixed denied resource, Returnreturn {@linkallow AuthorizationResult#ALLOWED} if the caller is* authorized4. toFor performany the prefixed allowed resource, if there's *no dominant denied resource, return allow * 5. For any other cases, return deny * given ACL* operationIt onis atimportant leastto oneoverride resourcethis ofinterface thedefault givenin type.implementations because * 1. The interface default iterates all AclBindings multiple times, without any indexing, * which is Returna {@linkCPU AuthorizationResult#DENIED}intense otherwisework. */ 2. The interface default rebuild several AuthorizationResultsets authorizeByResourceType(AuthorizableRequestContextof requestContextstrings, which is a memory intense work. AclOperation* op, ResourceType resourceType) { if (resourceType == ResourceType.ANY) { * @param requestContext Request context including request resourceType, security protocol, and listener name * @param op throw new IllegalArgumentException( The ACL operation to check * "Must@param resourceType specify a non-filterThe resource type for authorizeByResourceType");to check * @return } if (resourceType == ResourceType.UNKNOWN) { Return {@link AuthorizationResult#ALLOWED} if the caller is authorized to perform the throw new IllegalArgumentException( * "Unknown resource type"); given ACL } operation on at least one resource of the if (op == AclOperation.ANY) {given type. * throw new IllegalArgumentException( Return {@link "Must specify a non-filter operation type for authorizeByResourceType");AuthorizationResult#DENIED} otherwise. */ default AuthorizationResult authorizeByResourceType(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) }{ if SecurityUtils.authorizeByResourceTypeCheckArgs(op == AclOperation.UNKNOWN) {, resourceType); ResourcePatternFilter resourceTypeFilter = throw new IllegalArgumentExceptionResourcePatternFilter( resourceType, "Unknown operation type"null, PatternType.ANY); } ResourcePatternFilter resourceTypeFilterAclBindingFilter aclFilter = new ResourcePatternFilterAclBindingFilter( resourceTyperesourceTypeFilter, null, PatternTypeAccessControlEntryFilter.ANY); AclBindingFilter aclFilterEnumMap<PatternType, Set<String>> denyPatterns = new AclBindingFilter( resourceTypeFilternew EnumMap<PatternType, AccessControlEntryFilterSet<String>>(PatternType.ANYclass); {{ Set<String> denyLiterals = new HashSet<>(); Set<String> denyPrefixes = put(PatternType.LITERAL, new HashSet<>()); Set<String> allowLiterals = put(PatternType.PREFIXED, new HashSet<>()); Set<String>}}; allowPrefixes = new HashSet<>(); EnumMap<PatternType, Set<String>> allowPatterns = boolean hasWildCardAllow = false; for (AclBinding binding : acls(aclFilter)) new EnumMap<PatternType, Set<String>>(PatternType.class){{ if put(!binding.entryPatternType.LITERAL, new HashSet<>().host().equals(requestContext.clientAddress().getHostAddress())); put(PatternType.PREFIXED, && !binding.entry().host().equals("*")) continue; if (!binding.entry().principal().equals(requestContext.principal().toString()) && !binding.entry().principal().equals("User:*")) new HashSet<>()); }}; boolean hasWildCardAllow = continuefalse; KafkaPrincipal principal = new if (binding.entry().operation() != op KafkaPrincipal( requestContext.principal().getPrincipalType(), && bindingrequestContext.entryprincipal().operationgetName() != AclOperation.ALL); String hostAddr continue= requestContext.clientAddress().getHostAddress(); for (AclBinding binding : if (binding.entry().permissionType() == AclPermissionType.DENY) { acls(aclFilter)) { if (!binding.entry().host().equals(hostAddr) switch (binding.pattern&& !binding.entry().host().patternTypeequals("*")) { continue; case LITERAL: if (!SecurityUtils.parseKafkaPrincipal(binding.entry().principal()).equals(principal) if&& (!binding.patternentry().nameprincipal().equals(ResourcePattern.WILDCARD_RESOURCE"User:*")) continue; return AuthorizationResult.DENIED; if (binding.entry().operation() != op denyLiterals.add(&& binding.patternentry().nameoperation() != AclOperation.ALL); continue; break; if (binding.entry().permissionType() == AclPermissionType.DENY) { case PREFIXED: switch (binding.pattern().patternType()) { denyPrefixes.add(binding.pattern().name()); case LITERAL: break; if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) } return continueAuthorizationResult.DENIED; } if (binding.entry().permissionType() != AclPermissionType.ALLOW)denyPatterns.get(PatternType.LITERAL).add(binding.pattern().name()); continue; break; switch (binding.pattern().patternType()) { case LITERALPREFIXED: if ( denyPatterns.get(PatternType.PREFIXED).add(binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) { )); break; hasWildCardAllow = true; default: continue; } continue; } } allowLiterals.addif (binding.patternentry().namepermissionType() != AclPermissionType.ALLOW); continue; switch break;(binding.pattern().patternType()) { case PREFIXEDLITERAL: if allowPrefixes.add(binding.pattern().name()); .equals(ResourcePattern.WILDCARD_RESOURCE)) { break hasWildCardAllow = true; } } continue; if (hasWildCardAllow) { return AuthorizationResult.ALLOWED; } } for (String allowPrefix : allowPrefixes) { allowPatterns.get(PatternType.LITERAL).add(binding.pattern().name()); StringBuilder sb = new StringBuilder()break; boolean hasDominatedDeny = false; case PREFIXED: for (char ch : allowPrefix.toCharArray allowPatterns.get(PatternType.PREFIXED).add(binding.pattern().name()) { ; sb.append(ch)break; if (denyPrefixes.contains(sb.toString())) {default: } hasDominatedDeny} = true; if (hasWildCardAllow) { breakreturn AuthorizationResult.ALLOWED; } } for (Map.Entry<PatternType, Set<String>> entry : allowPatterns.entrySet()) { } for (String allowStr : if (!hasDominatedDeny)entry.getValue()) { returnif AuthorizationResult.ALLOWED; } (entry.getKey() == PatternType.LITERAL for (String allowLiteral : allowLiterals) { if (denyLiterals&& denyPatterns.get(PatternType.LITERAL).contains(allowLiteralallowStr)) continue; StringBuilder sb = new StringBuilder(); boolean hasDominatedDeny = false; for (char ch : allowLiteralallowStr.toCharArray()) { sb.append(ch); if (denyPrefixesdenyPatterns.get(PatternType.PREFIXED).contains(sb.toString())) { hasDominatedDeny = true; break; } } if (!hasDominatedDeny) return AuthorizationResult.ALLOWED; } } return AuthorizationResult.DENIED; } |
...