d8tltanc commented on a change in pull request #9485:
URL: https://github.com/apache/kafka/pull/9485#discussion_r533922526
##########
File path:
jmh-benchmarks/src/main/java/org/apache/kafka/jmh/acl/AclAuthorizerBenchmark.java
##########
@@ -115,45 +122,62 @@ private void setFieldValue(Object obj, String fieldName,
Object value) throws Ex
Set<AclEntry> entries = aclEntries.computeIfAbsent(resource, k ->
new HashSet<>());
- for (int aclId = 0; aclId < aclCount; aclId++) {
- AccessControlEntry ace = new
AccessControlEntry(principal.toString() + aclId,
- "*", AclOperation.READ, AclPermissionType.ALLOW);
- entries.add(new AclEntry(ace));
+ for (int aclId = 0; aclId < aclCount / 2; aclId++) {
+ String acePrinciple = principal.toString() + (aclId == 0 ? ""
: aclId);
+ AccessControlEntry allowAce = new AccessControlEntry(
+ acePrinciple,
Review comment:
commit 6ab95d3668b3de27a7f6f58fc171a1e2e8925f69
##########
File path: core/src/main/scala/kafka/security/authorizer/AuthorizerWrapper.scala
##########
@@ -175,4 +179,73 @@ class AuthorizerWrapper(private[kafka] val baseAuthorizer:
kafka.security.auth.A
override def close(): Unit = {
baseAuthorizer.close()
}
+
+ override def authorizeByResourceType(requestContext:
AuthorizableRequestContext,
+ op: AclOperation,
+ resourceType: ResourceType):
AuthorizationResult = {
+ if (resourceType == ResourceType.ANY)
+ throw new IllegalArgumentException("Must specify a non-filter resource
type for authorizeByResourceType")
+
+ if (resourceType == ResourceType.UNKNOWN)
+ throw new IllegalArgumentException("Unknown resource type")
+
+ if (op == AclOperation.ANY)
+ throw new IllegalArgumentException("Must specify a non-filter operation
type for authorizeByResourceType")
+
+ if (op == AclOperation.UNKNOWN)
+ throw new IllegalArgumentException("Unknown operation type")
+
+ if (shouldAllowEveryoneIfNoAclIsFound && !denyAllResource(requestContext,
op, resourceType)) {
+ AuthorizationResult.ALLOWED
+ } else {
+ super.authorizeByResourceType(requestContext, op, resourceType)
+ }
+ }
+
+ private def denyAllResource(requestContext: AuthorizableRequestContext,
+ op: AclOperation,
+ resourceType: ResourceType): Boolean = {
+ val resourceTypeFilter = new ResourcePatternFilter(
+ resourceType, null, PatternType.ANY)
+ val accessControlEntry = new AccessControlEntryFilter(
+ null, null, null, AclPermissionType.DENY)
+ val aclFilter = new AclBindingFilter(resourceTypeFilter,
accessControlEntry)
+
+ for (binding <- acls(aclFilter).asScala) {
+ if (aceMatched(requestContext, op, binding) &&
canDenyAll(binding.pattern()))
+ return true
+ }
+ false
+ }
+
+ @inline
+ private def aceMatched(requestContext: AuthorizableRequestContext,
+ op: AclOperation,
+ binding: AclBinding): Boolean = {
+ (hostMatched(requestContext, binding) && principleMatched(requestContext,
binding)
+ && operationMatched(op, binding))
+ }
+
+ @inline
+ private def hostMatched(requestContext: AuthorizableRequestContext,
+ binding: AclBinding): Boolean =
+
(binding.entry().host().equals(requestContext.clientAddress().getHostAddress)
+ || binding.entry().host().equals(AclEntry.WildcardHost))
+
+ @inline
+ private def principleMatched(requestContext: AuthorizableRequestContext,
Review comment:
commit 6ab95d3668b3de27a7f6f58fc171a1e2e8925f69
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
