Table of Contents |
---|
Status
Current state: Under Discussion
Discussion thread: here
APPROVED
Discussion thread: https://lists.apache.org/thread.html/r56f658f1d1de2b09465d70be69a8bebfd4518663be5a88fba2e9e7c0%40%3Cdev.kafka.apache.org%3E
JIRA:
Jira | ||||||
---|---|---|---|---|---|---|
|
Jira | ||||||
---|---|---|---|---|---|---|
|
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
...
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
/** * Check if the caller is authorized to perform the given ACL operation on at least one * resource of the given type. * * @param1. requestContextFilter Requestout contextall includingthe requestresource resourceType,pattern securitycorresponding protocol,to andthe listenerrequestContext, nameAclOperation, * @param op and ResourceType * 2. If wildcard deny Theexists, ACLreturn operationdeny to checkdirectly * @param3. resourceTypeFor any literal Theallowed resource, type if there's no dominant literal *denied @returnresource, and * no dominant prefixed denied resource, Returnreturn {@linkallow AuthorizationResult#ALLOWED} if the caller is* authorized4. toFor performany the prefixed allowed resource, if there's *no dominant denied resource, return allow * 5. For any other cases, return deny * given ACL* operationIt onis atimportant leastto oneoverride resourcethis ofinterface thedefault givenin type.implementations because * 1. The interface default iterates all AclBindings multiple times, without any indexing, * which is Returna {@linkCPU AuthorizationResult#DENIED}intense otherwisework. */ 2. The interface default AuthorizationResultrebuild authorizeAny(AuthorizableRequestContext requestContext, AclOperation op, ResourceType resourceType) { several sets of strings, which is a memory intense work. if* (resourceType == ResourceType.ANY) { * @param requestContext Request context including request resourceType, security protocol, and throwlistener newname IllegalArgumentException( * @param op "Must specify a non-filterThe resourceACL typeoperation for authorizeAny");to check * @param resourceType } The resource type to check if (resourceType == ResourceType.UNKNOWN) { * @return throw new IllegalArgumentException( Return {@link AuthorizationResult#ALLOWED} if the caller is authorized to perform the * "Unknown resource type"); } if (op == AclOperation.ANY) { throw new IllegalArgumentException( given ACL operation on at least one resource of the given type. * "Must specify a non-filter operation type for authorizeAny"); Return {@link AuthorizationResult#DENIED} otherwise. } */ default AuthorizationResult authorizeByResourceType(AuthorizableRequestContext requestContext, ifAclOperation (op, == AclOperation.UNKNOWNResourceType resourceType) { SecurityUtils.authorizeByResourceTypeCheckArgs(op, resourceType); throw new IllegalArgumentException( ResourcePatternFilter resourceTypeFilter = "Unknown operation type"); } ResourcePatternFilter resourceTypeFilter = new new ResourcePatternFilter( resourceType, null, PatternType.ANY); AclBindingFilter aclFilter = new AclBindingFilter( resourceTypeFilter, AccessControlEntryFilter.ANY); EnumMap<PatternType, Set<String>Set<String>> denyPrefixesdenyPatterns = new HashSet<>(); Set<String> allowPrefixes = new EnumMap<PatternType, HashSet<>Set<String>>(PatternType.class);{{ boolean hasWildCardAllow = false; put(PatternType.LITERAL, new HashSet<>()); for put(AclBinding binding : acls(aclFilter)) { PatternType.PREFIXED, new HashSet<>()); }}; if (!binding.entry().host().equals(requestContext.clientAddress().getHostAddress()) EnumMap<PatternType, Set<String>> allowPatterns = && !binding.entry().host().equals("*")) new EnumMap<PatternType, Set<String>>(PatternType.class){{ continue; put(PatternType.LITERAL, new HashSet<>()); if put(!binding.entryPatternType.PREFIXED, new HashSet<>().principal().equals(requestContext.principal().toString())); }}; boolean hasWildCardAllow = false; && !binding.entry().principal().equals("User:*")) KafkaPrincipal principal = new KafkaPrincipal( continue; requestContext.principal().getPrincipalType(), if (binding.entryrequestContext.principal().operationgetName()) != op; String hostAddr && binding.entry= requestContext.clientAddress().operationgetHostAddress() != AclOperation.ALL); for (AclBinding binding : continue; acls(aclFilter)) { if (!binding.entry().permissionTypehost() == AclPermissionType.DENY) { .equals(hostAddr) && !binding.entry().host().equals("*")) switch (binding.patterncontinue; if (!SecurityUtils.parseKafkaPrincipal(binding.entry().patternTypeprincipal()).equals(principal) { case LITERAL: && !binding.entry().principal().equals("User:*")) continue; if (binding.patternentry().nameoperation().equals(ResourcePattern.WILDCARD_RESOURCE)) != op && binding.entry().operation() != AclOperation.ALL) return AuthorizationResult.DENIED; continue; if (binding.patternentry().resourceTypepermissionType() == ResourceTypeAclPermissionType.CLUSTERDENY) &&{ switch (binding.pattern().name().equals(Resource.CLUSTER_NAMEpatternType()) { case LITERAL: return AuthorizationResult.DENIED; if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) break; case PREFIXED:return AuthorizationResult.DENIED; if denyPatterns.get(PatternType.LITERAL).add(binding.pattern().name().isEmpty()); break; return AuthorizationResult.DENIED; case PREFIXED: denyPrefixesdenyPatterns.get(PatternType.PREFIXED).add(binding.pattern().name()); break; default: } continue; } if (binding.entry().permissionType() != AclPermissionType.ALLOW) continue; switch (binding.pattern().patternType()) { case LITERAL: if (binding.pattern().name().equals(ResourcePattern.WILDCARD_RESOURCE)) { hasWildCardAllow = true; continue; } List<Action> action = Collections.singletonList(new Action(allowPatterns.get(PatternType.LITERAL).add(binding.pattern().name()); break; op, binding.pattern(), 1, false, false)); case PREFIXED: if (authorize(requestContext, action) allowPatterns.get(0) == AuthorizationResult.ALLOWED) { PatternType.PREFIXED).add(binding.pattern().name()); break; return AuthorizationResult.ALLOWED; default: } } if break;(hasWildCardAllow) { return AuthorizationResult.ALLOWED; case PREFIXED: } for (Map.Entry<PatternType, Set<String>> entry : allowPrefixes.add(binding.pattern().name());allowPatterns.entrySet()) { for (String allowStr : entry.getValue()) { break; } if (entry.getKey() == PatternType.LITERAL } if (hasWildCardAllow) { && return AuthorizationResult.ALLOWED; denyPatterns.get(PatternType.LITERAL).contains(allowStr)) } for (Stringcontinue; allowed : allowPrefixes) { StringBuilder sb = new StringBuilder(); boolean hasDominatedDeny = false; for (intchar posch = 0; pos < allowed.length(); pos++: allowStr.toCharArray()) { sb.append(allowed.charAt(posch)); if (denyPrefixes(denyPatterns.get(PatternType.PREFIXED).contains(sb.toString())) { hasDominatedDeny = true; break; } } if (!hasDominatedDeny) return AuthorizationResult.ALLOWED; } } return AuthorizationResult.DENIED; } } |
Proposed Changes
AclAuthorizer and SimpleAclAuthorizer
...
Besides the public interface changes above, we will deprecate `IDEMPOTENT_WRITE` in release version 23.8 0 because it's kind of trivial by practice.
...
`IDEMPOTENT_WRITE` will be deprecated in 23.8 0 but won't be removed in a short term, in order to give the community enough time to upgrade their `authorizer` implementation.
`request-required-acks` option in kafka-console-producer.sh will change default to -1
In kafka-console-producer.sh, we have a option: `request-required-acks` that can configure the acks
setting in Producer. It was originally default to 1. But after this KIP, we set the default enable.idempotence
to true, so we have to also set the default acks
config here to -1 for this change.
Compatibility, Deprecation, and Migration Plan
...