handfreezer opened a new pull request, #16361:
URL: https://github.com/apache/kafka/pull/16361
Default StandardAuthorizer in Kraft mode is defining a KafkaPrincpal as
type=User and a name, and a special wildcard eventually.
The difficulty with this solution is that we can't define ACL by group of
KafkaPrincipal.
There is a way for the moment to do so by defining RULE to rewrite the
KafkaPrincipal name field, BUT, to introduce this way the notion of group, you
have to set rules which will make you loose the uniq part of the KafkaPrincipal
name of the connected client.
The concept here, in the StandardAuthorizer of Kafka Kraft, is to add the
management of KafkaPrincipal type:
Regex
StartsWith
EndsWith
Contains
(User is still available and keep working as before to avoid any
regression/issue with current configurations)
This would be done in the StandardAcl class of metadata/authorizer, and the
findresult method of StandardAuthorizerData will delegate the match to the
StandardAcl class (for performance reason: precompile regex in ACL).
*I added tests in metadat, and run ./gradlew test from kafak:trunk and my
fork: no more failed test on my branch than kafka:trunk
### Committer Checklist (excluded from commit message)
- [ x ] Verify design and implementation => thanks to spell checker in
gradle process
- [ x ] Verify test coverage and CI build status => adding few tests in
metadata, an run gradlew test without more failed test thant kafka:trunk
- [ x ] Verify documentation (including upgrade notes) : added few lines in
doc, no upgrade info as the previous behaviour should still work as before.
[Link to the JIRA-16707](https://issues.apache.org/jira/browse/KAFKA-16707)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
