Table of Contents |
---|
Status
Current state: Under Discussion
Discussion thread: here
APPROVED
Discussion thread: https://lists.apache.org/thread.html/r56f658f1d1de2b09465d70be69a8bebfd4518663be5a88fba2e9e7c0%40%3Cdev.kafka.apache.org%3E
JIRA:
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
/** * Check if the caller is authorized to perform the given ACL operation on at least one * resource of the given type. * * @param1. requestContextFilter Requestout contextall includingthe requestresource resourceType,pattern securitycorresponding protocol,to andthe listenerrequestContext, nameAclOperation, * @param op and ResourceType * 2. If wildcard deny Theexists, ACLreturn operationdeny to checkdirectly * @param3. resourceTypeFor any literal Theallowed resource, type if there's no dominant literal *denied @returnresource, and * no dominant prefixed denied resource, Returnreturn {@linkallow AuthorizationResult#ALLOWED} if the caller is* authorized4. toFor performany the prefixed allowed resource, if there's *no dominant denied resource, return allow * 5. For any other cases, return deny * given ACL* operationIt onis atimportant leastto oneoverride resourcethis ofinterface thedefault givenin type.implementations because * 1. The interface default iterates all AclBindings multiple times, without any indexing, * which is Returna {@linkCPU AuthorizationResult#DENIED}intense otherwisework. */ 2. The interface default AuthorizationResultrebuild authorizeAny(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) { several sets of strings, which is a memory intense work. ResourcePatternFilter* resourceFilter = new ResourcePatternFilter(resourceType, null, PatternType.ANY); AclBindingFilter aclFilter = new AclBindingFilter(* @param requestContext Request context including request resourceType, security protocol, and listener name * @param op resourceFilter, new AccessControlEntryFilter( The ACL operation to check requestContext.principal().toString(), * @param resourceType The resource type to check * @return requestContext.clientAddress().getHostAddress(), Return {@link AuthorizationResult#ALLOWED} op, if the caller is authorized to perform the * AclPermissionType.ANY)); Set<String> denyPrefixes = new HashSet<>(); given ACL Set<String>operation allowPrefixeson =at new HashSet<>(); least one resource of the given type. for (AclBinding binding* : acls(aclFilter)) { if (binding.entry().permissionType() != AclPermissionType.ALLOW) { Return {@link AuthorizationResult#DENIED} otherwise. */ ifdefault AuthorizationResult (binding.entry().permissionType() == AclPermissionType.DENYauthorizeByResourceType(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) { SecurityUtils.authorizeByResourceTypeCheckArgs(op, resourceType); ResourcePatternFilter resourceTypeFilter = switch (binding.pattern().patternType()) {new ResourcePatternFilter( resourceType, null, PatternType.ANY); AclBindingFilter aclFilter case LITERAL:= new AclBindingFilter( resourceTypeFilter, AccessControlEntryFilter.ANY); EnumMap<PatternType, Set<String>> denyPatterns = if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) new EnumMap<PatternType, Set<String>>(PatternType.class){{ put(PatternType.LITERAL, new HashSet<>()); return AuthorizationResult.DENIEDput(PatternType.PREFIXED, new HashSet<>()); }}; EnumMap<PatternType, Set<String>> allowPatterns = if (binding.pattern().resourceType() == ResourceType.CLUSTER && new EnumMap<PatternType, Set<String>>(PatternType.class){{ put(PatternType.LITERAL, new HashSet<>()); put(PatternType.PREFIXED, new HashSet<>()); binding.pattern().name().equals(Resource.CLUSTER_NAME))}}; boolean hasWildCardAllow = false; KafkaPrincipal principal = return AuthorizationResult.DENIED;new KafkaPrincipal( requestContext.principal().getPrincipalType(), breakrequestContext.principal().getName()); String hostAddr = requestContext.clientAddress().getHostAddress(); for (AclBinding binding : case PREFIXED:acls(aclFilter)) { if (binding.pattern().name().isEmpty(if (!binding.entry().host().equals(hostAddr) && !binding.entry().host().equals("*")) continue; if (!SecurityUtils.parseKafkaPrincipal(binding.entry().principal()).equals(principal) return AuthorizationResult.DENIED; denyPrefixes.add(binding.pattern&& !binding.entry().principal().nameequals("User:*")); continue; break;if (binding.entry().operation() != op }&& binding.entry().operation() != AclOperation.ALL) }continue; if (binding.entry().permissionType() == continue;AclPermissionType.DENY) { } switch (binding.pattern().patternType()) { case LITERAL case LITERAL: if (binding.pattern().name() == .equals(ResourcePattern.WILDCARD_RESOURCE)) return AuthorizationResult.ALLOWEDDENIED; List<Action> action = Collections.singletonList(new Action( denyPatterns.get(PatternType.LITERAL).add(binding.pattern().name()); break; op, binding.pattern(), 1, false, false)); if (authorize(requestContext, action).get(0) == AuthorizationResult.ALLOWED) {case PREFIXED: return AuthorizationResult.ALLOWED; denyPatterns.get(PatternType.PREFIXED).add(binding.pattern().name()); } break; break; default: case PREFIXED: } allowPrefixes.add(binding.pattern().name())continue; } break; if (binding.entry().permissionType() != AclPermissionType.ALLOW) } }continue; for (String allowed : allowPrefixesswitch (binding.pattern().patternType()) { StringBuilder sb = new StringBuilder(); case LITERAL: boolean hasDominatedDeny = false; if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) { for (int pos = 0; pos < allowed.length(); pos++) { hasWildCardAllow = true; sb.append(allowed.charAt(pos)); if (denyPrefixes.contains(sb.toString())) {continue; hasDominatedDeny = true;} break; allowPatterns.get(PatternType.LITERAL).add(binding.pattern().name()); } break; } case PREFIXED: if (!hasDominatedDeny) return AuthorizationResult.ALLOWED allowPatterns.get(PatternType.PREFIXED).add(binding.pattern().name()); } break; default: return AuthorizationResult.DENIED;} } |
Proposed Changes
AclAuthorizer and SimpleAclAuthorizer
AclAuthorizer and SimpleAclAuthorizer will override the new interface `org.apache.kafka.server.authorizer.Authorizer#authorizeAny` to
- improve the performance
- implement the `allow.everyone.if.no.acl.found` logic
`IDEMPOTENT_WRITE` Deprecation
Besides the public interface changes above, we will deprecate `IDEMPOTENT_WRITE` in release version 2.8 because it's kind of trivial by practice.
We are relaxing the ACL restriction from `IDEMPOTENT_WRITE` to `WRITE` earlier (release version 2.8) and changing the producer defaults later (release version 3.0) in order to give the community users enough time to upgrade their broker first. So their later client-side upgrading, which enables idempotence by default, won't get blocked by the `IDEMPOTENT_WRITE` ACL required by the old version brokers.
}
if (hasWildCardAllow) {
return AuthorizationResult.ALLOWED;
}
for (Map.Entry<PatternType, Set<String>> entry : allowPatterns.entrySet()) {
for (String allowStr : entry.getValue()) {
if (entry.getKey() == PatternType.LITERAL
&& denyPatterns.get(PatternType.LITERAL).contains(allowStr))
continue;
StringBuilder sb = new StringBuilder();
boolean hasDominatedDeny = false;
for (char ch : allowStr.toCharArray()) {
sb.append(ch);
if (denyPatterns.get(PatternType.PREFIXED).contains(sb.toString())) {
hasDominatedDeny = true;
break;
}
}
if (!hasDominatedDeny)
return AuthorizationResult.ALLOWED;
}
}
return AuthorizationResult.DENIED;
} |
Proposed Changes
AclAuthorizer and SimpleAclAuthorizer
AclAuthorizer and AuthorizerWrapper will override the new interface `org.apache.kafka.server.authorizer.Authorizer#authorizeAny` to
- improve the performance
- implement the `allow.everyone.if.no.acl.found` logic
`IDEMPOTENT_WRITE` Deprecation
Besides the public interface changes above, we will deprecate `IDEMPOTENT_WRITE` in release version 3.0 because it's kind of trivial by practice.
We are relaxing the ACL restriction from `IDEMPOTENT_WRITE` to `WRITE` earlier (release version 2.8) and changing the producer defaults later (release version 3.0) in order to give the community users enough time to upgrade their broker first. So their later client-side upgrading, which enables idempotence by default, won't get blocked by the `IDEMPOTENT_WRITE` ACL required by the old version brokers.
`IDEMPOTENT_WRITE` will be deprecated in 3.0 but won't be removed in a short term, in order to give the community enough time to upgrade their `authorizer` implementation.
`request-required-acks` option in kafka-console-producer.sh will change default to -1
In kafka-console-producer.sh, we have a option: `request-required-acks` that can configure the acks
setting in Producer. It was originally default to 1. But after this KIP, we set the default enable.idempotence
to true, so we have to also set the default acks
config here to -1 for this change`IDEMPOTENT_WRITE` will be deprecated in 2.8 but won't be removed in a short term, in order to give the community enough time to upgrade their `authorizer` implementation.
Compatibility, Deprecation, and Migration Plan
...