...
3. `org.apache.kafka.server.authorizer.Authorizer` will have a new interface for checking if the caller is authorized to perform the given ACL operation on at least one resource satisfying the filter. It will have a default implementation assuming `allow.everyone.if.no.acl.found=false`.
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
/** * Check if the caller is authorized to perform the given ACL operation on at least one * resource satisfying the filter. * * @param requestContext Request context including request type, security protocol, and listener name * @param op The ACL operation to check * @param f The resource filter * @return Return true if the caller is authorized to perform the given ACL operation * on at least one resource satisfying the filter. Return false otherwise. */ default AuthorizationResult authorizeAny(AuthorizableRequestContext requestContext, AclOperation op, ResourcePatternFilter f) { ResourcePatternFilter resourceFilter = new ResourcePatternFilter(type, null, PatternType.ANY); AclBindingFilter aclFilter = new AclBindingFilter( resourceFilter, new AccessControlEntryFilter( requestContext.principal().toString(), requestContext.clientAddress().getHostAddress(), op, AclPermissionType.ANY)); for (AclBinding binding : acls(aclFilter)) { if (binding.entry().permissionType() != AclPermissionType.ALLOW) continue; List<Action> action = Collections.singletonList(new Action( op, binding.pattern(), 1, false, false)); if (authorize(requestContext, action).get(0) == AuthorizationResult.ALLOWED) { return AuthorizationResult.ALLOWED; } } return AuthorizationResult.DENIED; } |
Proposed Changes
AclAuthorizer and SimpleAclAuthorizer
AclAuthorizer and SimpleAclAuthorizer will override the new interface `org.apache.kafka.server.authorizer.Authorizer#authorizeAny` to
- improve the performance
- implement the `allow.everyone.if.no.acl.found` logic
`IDEMPOTENT_WRITE` Deprecation
Besides the public interface changes above, we will deprecate `IDEMPOTENT_WRITE` in release version 2.8 because it's kind of trivial by practice.
...