Table of Contents |
---|
Status
Current state: Under Discussion
Discussion thread: here
APPROVED
Discussion thread: https://lists.apache.org/thread.html/r56f658f1d1de2b09465d70be69a8bebfd4518663be5a88fba2e9e7c0%40%3Cdev.kafka.apache.org%3E
JIRA:
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
/** * Check if the caller is authorized to perform the given ACL operation on at least one * resource of the given type. * * 1. Filter out all the resource pattern corresponding satisfyingto the filter requestContext, AclOperation, * and ResourceType * 2. If wildcard deny exists, return deny directly * 3. For any literal allowed resource, if there's no dominant literal denied resource, and * no dominant prefixed denied resource, return allow * 4. For any prefixed allowed resource, if there's no dominant denied resource, return allow * 5. For any other cases, return deny * * It is important to override this interface default in implementations because * 1. The interface default iterates all AclBindings multiple times, without any indexing, * which is a CPU intense work. * 2. The interface default rebuild several sets of strings, which is a memory intense work. * * @param requestContext Request context including request typeresourceType, security protocol, and listener name * @param op The ACL operation to check * @param fresourceType The resource type The resource filterto check * @return Return {@link trueAuthorizationResult#ALLOWED} if the caller is authorized to perform the giventhe ACL operation * * given ACL operation on at least one resource satisfyingof the given filter. Return falsetype. * Return {@link AuthorizationResult#DENIED} otherwise. */ default AuthorizationResult authorizeAnyauthorizeByResourceType(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) { SecurityUtils.authorizeByResourceTypeCheckArgs(op, resourceType); ResourcePatternFilter resourceTypeFilter = new ResourcePatternFilter( resourceType, null, PatternType.ANY); AclBindingFilter aclFilter = new AclBindingFilter( AclOperation op, resourceTypeFilter, AccessControlEntryFilter.ANY); EnumMap<PatternType, Set<String>> denyPatterns = new EnumMap<PatternType, Set<String>>(PatternType.class){{ ResourcePatternFilter f) { put(PatternType.LITERAL, new HashSet<>()); ResourcePatternFilter resourceFilter = put(PatternType.PREFIXED, new ResourcePatternFilter(type, null, PatternType.ANY); HashSet<>()); }}; EnumMap<PatternType, Set<String>> allowPatterns = new EnumMap<PatternType, Set<String>>(PatternType.class){{ AclBindingFilter aclFilter = put(PatternType.LITERAL, new AclBindingFilterHashSet<>()); resourceFilterput(PatternType.PREFIXED, new AccessControlEntryFilterHashSet<>()); }}; boolean hasWildCardAllow = false; KafkaPrincipal principal = new KafkaPrincipal( requestContext.principal().toStringgetPrincipalType(), requestContext.principal().getName()); String hostAddr = requestContext.clientAddress().getHostAddress(); for (AclBinding binding : acls(aclFilter)) { if (!binding.entry().host().equals(hostAddr) && !binding.entry().host().equals("*")) continue; if (), !SecurityUtils.parseKafkaPrincipal(binding.entry().principal()).equals(principal) && !binding.entry().principal().equals("User:*")) continue; if (binding.entry().operation() op, != op && binding.entry().operation() != AclOperation.ALL) continue; if (binding.entry().permissionType() == AclPermissionType.ANY)).DENY) { switch (binding.pattern().patternType()) { case LITERAL: if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) return AuthorizationResult.DENIED; for (AclBinding binding : acls(aclFilter)) { denyPatterns.get(PatternType.LITERAL).add(binding.pattern().name()); break; case PREFIXED: denyPatterns.get(PatternType.PREFIXED).add(binding.pattern().name()); break; default: } continue; } if (binding.entry().permissionType() != AclPermissionType.ALLOW) continue; switch (binding.pattern().patternType()) { List<Action> action = Collections.singletonList(new Action( case LITERAL: if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) { hasWildCardAllow = true; continue; } op, allowPatterns.get(PatternType.LITERAL).add(binding.pattern(), 1, false, false));.name()); break; case PREFIXED: allowPatterns.get(PatternType.PREFIXED).add(binding.pattern().name()); break; default: } } if (authorize(requestContext, action).get(0) == AuthorizationResult.ALLOWEDhasWildCardAllow) { return AuthorizationResult.ALLOWED; } for (Map.Entry<PatternType, Set<String>> entry : allowPatterns.entrySet()) { for (String allowStr : entry.getValue()) { if (entry.getKey() == PatternType.LITERAL && denyPatterns.get(PatternType.LITERAL).contains(allowStr)) continue; StringBuilder sb = new StringBuilder(); boolean hasDominatedDeny = false; for (char ch : allowStr.toCharArray()) { sb.append(ch); if (denyPatterns.get(PatternType.PREFIXED).contains(sb.toString())) { hasDominatedDeny = true; break; } } if (!hasDominatedDeny) return AuthorizationResult.ALLOWED; } } return AuthorizationResult.DENIED; } |
...
AclAuthorizer and SimpleAclAuthorizer
AclAuthorizer and SimpleAclAuthorizer and AuthorizerWrapper will override the new interface `org.apache.kafka.server.authorizer.Authorizer#authorizeAny` to
...
Besides the public interface changes above, we will deprecate `IDEMPOTENT_WRITE` in release version 23.8 0 because it's kind of trivial by practice.
...
`IDEMPOTENT_WRITE` will be deprecated in 23.8 0 but won't be removed in a short term, in order to give the community enough time to upgrade their `authorizer` implementation.
`request-required-acks` option in kafka-console-producer.sh will change default to -1
In kafka-console-producer.sh, we have a option: `request-required-acks` that can configure the acks
setting in Producer. It was originally default to 1. But after this KIP, we set the default enable.idempotence
to true, so we have to also set the default acks
config here to -1 for this change.
Compatibility, Deprecation, and Migration Plan
...
- In the scenario below, people will need to either a) grant the producers the `IDEMPOTENT_WRITE` access or b) change their producer config to explicitly disable the idempotence (set `enable.idempotence = false`).
- use producers with release version >= 3.0
- use brokers with release version < 2.8
- In the scenario below, people will need to either a) upgrade their topic format version >= V2 or b) change their producer config to explicitly disable the idempotence (set `enable.idempotence = false`).
- use producers with release version >= 3.0
- have any topic using the message format < V2 while producers with release version >= 3.0 will produce to this topic
- In the scenario below, people will need to implement the new `Authorizer#authorizeAny` interface
- use their own authorizer implementation other than `AclAuthorizer` and `SimpleAclAuthorizer`
- the customized authorizer support the configuration `allow.everyone.if.no.acl.found`
Rejected Alternatives
There's an alternative way to implement a fallback semantics on `enable.idempotence` to mitigate the compatibility issue. Specifically, by default, the producer will set `enable.idempotence` as `suggested`, a new option, to let the producer and brokers decide if idempotence can be enabled or not. However, since the fallback
...