chia7712 commented on a change in pull request #10184:
URL: https://github.com/apache/kafka/pull/10184#discussion_r584628216



##########
File path: core/src/main/scala/kafka/server/ControllerApis.scala
##########
@@ -280,25 +281,34 @@ class ControllerApis(val requestChannel: RequestChannel,
       while (iterator.hasNext) {
         val entry = iterator.next()
         val topicName = entry.getValue
+        val topicId = entry.getKey
         if (!authorizedDeleteTopics.contains(topicName)) {
-          // Case 1 or case 4: the topic exists, but we don't have permission 
to delete it.
-          val topicId = entry.getKey
-          if (topicIdsToResolve.contains(topicId)) {
-            appendResponse(null, topicId, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+          if (authorizedDescribeTopics.contains(topicName)) {
+            if (topicNamesToResolve.contains(topicName)) {
+              // 6. name provided, topic exists, describable => 
TOPIC_AUTHORIZATION_FAILED
+              appendResponse(topicName, ZERO_UUID, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+            } else {
+              // 2. ID provided, topic present, describeable => 
TOPIC_AUTHORIZATION_FAILED
+              appendResponse(null, topicId, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+            }
           } else {
-            appendResponse(topicName, ZERO_UUID, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+            if (topicNamesToResolve.contains(topicName)) {
+              // 7. name provided, topic exists, undescribable => 
UNKNOWN_TOPIC_OR_PARTITION
+              appendResponse(topicName, ZERO_UUID, new 
ApiError(UNKNOWN_TOPIC_OR_PARTITION))
+            } else {
+              // 3. ID provided, topic present, undescribeable => 
UNKNOWN_TOPIC_ID
+              appendResponse(null, topicId, new ApiError(UNKNOWN_TOPIC_ID))
+            }
           }
           iterator.remove()
         }
       }
       unknownTopicNameErrors.forEach { (topicName, error) =>

Review comment:
       `unknownTopicNameErrors` need to be handled even if `hasClusterAuth` is 
true.

##########
File path: core/src/main/scala/kafka/server/ControllerApis.scala
##########
@@ -256,17 +256,18 @@ class ControllerApis(val requestChannel: RequestChannel,
     }
 
     /**
-     * There are 5 error cases to handle here:
+     * There are 6 error cases to handle here if we don't have permission to 
delete:

Review comment:
       there are "7" cases now.

##########
File path: core/src/main/scala/kafka/server/ControllerApis.scala
##########
@@ -280,25 +281,34 @@ class ControllerApis(val requestChannel: RequestChannel,
       while (iterator.hasNext) {
         val entry = iterator.next()
         val topicName = entry.getValue
+        val topicId = entry.getKey
         if (!authorizedDeleteTopics.contains(topicName)) {
-          // Case 1 or case 4: the topic exists, but we don't have permission 
to delete it.
-          val topicId = entry.getKey
-          if (topicIdsToResolve.contains(topicId)) {
-            appendResponse(null, topicId, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+          if (authorizedDescribeTopics.contains(topicName)) {
+            if (topicNamesToResolve.contains(topicName)) {
+              // 6. name provided, topic exists, describable => 
TOPIC_AUTHORIZATION_FAILED
+              appendResponse(topicName, ZERO_UUID, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+            } else {
+              // 2. ID provided, topic present, describeable => 
TOPIC_AUTHORIZATION_FAILED
+              appendResponse(null, topicId, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+            }
           } else {
-            appendResponse(topicName, ZERO_UUID, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+            if (topicNamesToResolve.contains(topicName)) {
+              // 7. name provided, topic exists, undescribable => 
UNKNOWN_TOPIC_OR_PARTITION
+              appendResponse(topicName, ZERO_UUID, new 
ApiError(UNKNOWN_TOPIC_OR_PARTITION))
+            } else {
+              // 3. ID provided, topic present, undescribeable => 
UNKNOWN_TOPIC_ID
+              appendResponse(null, topicId, new ApiError(UNKNOWN_TOPIC_ID))
+            }
           }
           iterator.remove()
         }
       }
       unknownTopicNameErrors.forEach { (topicName, error) =>
           if (authorizedDescribeTopics.contains(topicName)) {
-            // Case 2: the topic we tried to delete by name doesn't exist, and 
we have
-            // permission to know that.
+            // 4. name provided, topic missing, undescribable => 
UNKNOWN_TOPIC_OR_PARTITION

Review comment:
       this should be case 5 (describable) rather than case 4(undescribable ) 
since it is in `authorizedDescribeTopics.contains(topicName)` rather than 
`!authorizedDescribeTopics.contains(topicName)`

##########
File path: core/src/main/scala/kafka/server/ControllerApis.scala
##########
@@ -280,25 +281,34 @@ class ControllerApis(val requestChannel: RequestChannel,
       while (iterator.hasNext) {
         val entry = iterator.next()
         val topicName = entry.getValue
+        val topicId = entry.getKey
         if (!authorizedDeleteTopics.contains(topicName)) {
-          // Case 1 or case 4: the topic exists, but we don't have permission 
to delete it.
-          val topicId = entry.getKey
-          if (topicIdsToResolve.contains(topicId)) {
-            appendResponse(null, topicId, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+          if (authorizedDescribeTopics.contains(topicName)) {
+            if (topicNamesToResolve.contains(topicName)) {
+              // 6. name provided, topic exists, describable => 
TOPIC_AUTHORIZATION_FAILED
+              appendResponse(topicName, ZERO_UUID, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))
+            } else {
+              // 2. ID provided, topic present, describeable => 
TOPIC_AUTHORIZATION_FAILED
+              appendResponse(null, topicId, new 
ApiError(TOPIC_AUTHORIZATION_FAILED))

Review comment:
       As it is describeable, is it necessary to set null name?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Reply via email to