Re: [PR] KAFKA-17614: Remove AclAuthorizer [kafka]

Thu, 17 Oct 2024 03:30:08 -0700 


mimaison commented on code in PR #17424:
URL: https://github.com/apache/kafka/pull/17424#discussion_r1804513201


##########
docs/security.html:
##########
@@ -1275,10 +1275,8 @@ <h3 class="anchor-heading"><a id="security_sasl" 
class="anchor-link"></a><a href
     <h3 class="anchor-heading"><a id="security_authz" 
class="anchor-link"></a><a href="#security_authz">7.5 Authorization and 
ACLs</a></h3>
     Kafka ships with a pluggable authorization framework, which is configured 
with the <code>authorizer.class.name</code> property in the server 
configuration.
     Configured implementations must extend 
<code>org.apache.kafka.server.authorizer.Authorizer</code>.
-    Kafka provides default implementations which store ACLs in the cluster 
metadata (either Zookeeper or the KRaft metadata log).
+    Kafka provides default implementations which store ACLs in the cluster 
metadata (KRaft metadata log).

Review Comment:
   `default implementations` -> `a default implementation`, since there's just 
one now



##########
core/src/test/scala/integration/kafka/api/DescribeAuthorizedOperationsTest.scala:
##########
@@ -74,12 +74,13 @@ object DescribeAuthorizedOperationsTest {
   }
 }
 
+@Disabled("TODO: change to kraft")

Review Comment:
   Have we opened a Jira for this?



##########
core/src/test/scala/unit/kafka/security/authorizer/AuthorizerTest.scala:
##########
@@ -786,291 +614,17 @@ class AuthorizerTest extends QuorumTestHarness with 
BaseAuthorizerTest {
     }
     assertEquals(Set(acl3, acl4), 
deleteResults(0).aclBindingDeleteResults.asScala.map(_.aclBinding).toSet)
     assertEquals(Set(acl1), 
deleteResults(1).aclBindingDeleteResults.asScala.map(_.aclBinding).toSet)
-    if (quorum.equals(ZK)) {
-      assertEquals(Set.empty, 
deleteResults(2).aclBindingDeleteResults.asScala.map(_.aclBinding).toSet)
-    } else {
-      // standard authorizer first finds the acls that match filters and then 
delete them.
-      // So filters[2] will match acl3 even though it is also matching 
filters[0] and will be deleted by it
-      assertEquals(Set(acl3), 
deleteResults(2).aclBindingDeleteResults.asScala.map(_.aclBinding).toSet)
-    }
+    // standard authorizer first finds the acls that match filters and then 
delete them.
+    // So filters[2] will match acl3 even though it is also matching 
filters[0] and will be deleted by it
+    assertEquals(Set(acl3), 
deleteResults(2).aclBindingDeleteResults.asScala.map(_.aclBinding).toSet)
     assertEquals(Set.empty, 
deleteResults(3).aclBindingDeleteResults.asScala.map(_.aclBinding).toSet)
   }
 
-  @Test
-  def testThrowsOnAddPrefixedAclIfInterBrokerProtocolVersionTooLow(): Unit = {
-    givenAuthorizerWithProtocolVersion(Option(IBP_2_0_IV0))
-    val e = assertThrows(classOf[ApiException],
-      () => addAcls(authorizer1, Set(denyReadAcl), new ResourcePattern(TOPIC, 
"z_other", PREFIXED)))
-    assertTrue(e.getCause.isInstanceOf[UnsupportedVersionException], 
s"Unexpected exception $e")
-  }
-
-  @Test

Review Comment:
   Is this test not relevant anymore?



##########
core/src/test/scala/integration/kafka/api/AuthorizerIntegrationTest.scala:
##########
@@ -34,24 +34,20 @@ import 
org.apache.kafka.common.message.CreatePartitionsRequestData.CreatePartiti
 import 
org.apache.kafka.common.message.CreateTopicsRequestData.{CreatableTopic, 
CreatableTopicCollection}
 import 
org.apache.kafka.common.message.IncrementalAlterConfigsRequestData.{AlterConfigsResource,
 AlterableConfig, AlterableConfigCollection}
 import 
org.apache.kafka.common.message.JoinGroupRequestData.JoinGroupRequestProtocolCollection
-import 
org.apache.kafka.common.message.LeaderAndIsrRequestData.LeaderAndIsrPartitionState
 import org.apache.kafka.common.message.LeaveGroupRequestData.MemberIdentity
 import 
org.apache.kafka.common.message.ListOffsetsRequestData.{ListOffsetsPartition, 
ListOffsetsTopic}
 import 
org.apache.kafka.common.message.OffsetForLeaderEpochRequestData.{OffsetForLeaderPartition,
 OffsetForLeaderTopic, OffsetForLeaderTopicCollection}
-import 
org.apache.kafka.common.message.StopReplicaRequestData.{StopReplicaPartitionState,
 StopReplicaTopicState}
-import 
org.apache.kafka.common.message.UpdateMetadataRequestData.{UpdateMetadataBroker,
 UpdateMetadataEndpoint, UpdateMetadataPartitionState}
-import org.apache.kafka.common.message.{AddOffsetsToTxnRequestData, 
AlterPartitionReassignmentsRequestData, AlterReplicaLogDirsRequestData, 
ConsumerGroupDescribeRequestData, ConsumerGroupHeartbeatRequestData, 
ControlledShutdownRequestData, CreateAclsRequestData, 
CreatePartitionsRequestData, CreateTopicsRequestData, DeleteAclsRequestData, 
DeleteGroupsRequestData, DeleteRecordsRequestData, DeleteTopicsRequestData, 
DescribeClusterRequestData, DescribeConfigsRequestData, 
DescribeGroupsRequestData, DescribeLogDirsRequestData, 
DescribeProducersRequestData, DescribeTransactionsRequestData, 
FindCoordinatorRequestData, HeartbeatRequestData, 
IncrementalAlterConfigsRequestData, JoinGroupRequestData, 
ListPartitionReassignmentsRequestData, ListTransactionsRequestData, 
MetadataRequestData, OffsetCommitRequestData, ProduceRequestData, 
SyncGroupRequestData, WriteTxnMarkersRequestData}
-import org.apache.kafka.common.network.ListenerName
+import org.apache.kafka.common.message.{AddOffsetsToTxnRequestData, 
AlterPartitionReassignmentsRequestData, AlterReplicaLogDirsRequestData, 
ConsumerGroupDescribeRequestData, ConsumerGroupHeartbeatRequestData, 
CreateAclsRequestData, CreatePartitionsRequestData, CreateTopicsRequestData, 
DeleteAclsRequestData, DeleteGroupsRequestData, DeleteRecordsRequestData, 
DeleteTopicsRequestData, DescribeClusterRequestData, 
DescribeConfigsRequestData, DescribeGroupsRequestData, 
DescribeLogDirsRequestData, DescribeProducersRequestData, 
DescribeTransactionsRequestData, FindCoordinatorRequestData, 
HeartbeatRequestData, IncrementalAlterConfigsRequestData, JoinGroupRequestData, 
ListPartitionReassignmentsRequestData, ListTransactionsRequestData, 
MetadataRequestData, OffsetCommitRequestData, ProduceRequestData, 
SyncGroupRequestData, WriteTxnMarkersRequestData}
 import org.apache.kafka.common.protocol.{ApiKeys, Errors}
 import org.apache.kafka.common.record.{MemoryRecords, RecordBatch, 
SimpleRecord}
 import org.apache.kafka.common.requests.OffsetFetchResponse.PartitionData
 import org.apache.kafka.common.requests._
 import org.apache.kafka.common.resource.PatternType.{LITERAL, PREFIXED}
 import org.apache.kafka.common.resource.ResourceType._
 import org.apache.kafka.common.resource.{PatternType, Resource, 
ResourcePattern, ResourcePatternFilter, ResourceType}
-import org.apache.kafka.common.security.auth.{KafkaPrincipal, SecurityProtocol}
+import org.apache.kafka.common.security.auth.{KafkaPrincipal}

Review Comment:
   We can remove the curly brackets



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to