[GitHub] [kafka] rondagostino commented on a change in pull request #11503: KAFKA-13456: Tighten KRaft config checks/constraints

GitBox Tue, 07 Dec 2021 13:16:04 -0800


rondagostino commented on a change in pull request #11503:
URL: https://github.com/apache/kafka/pull/11503#discussion_r764367513




##########
File path: core/src/test/scala/unit/kafka/server/KafkaConfigTest.scala
##########
@@ -1000,46 +1139,78 @@ class KafkaConfigTest {
     }
   }
 
-  def assertDistinctControllerAndAdvertisedListeners(): Unit = {
-    val props = TestUtils.createBrokerConfig(0, TestUtils.MockZkConnect, port 
= TestUtils.MockZkPort)
-    val listeners = "PLAINTEXT://A:9092,SSL://B:9093,SASL_SSL://C:9094"
-    props.put(KafkaConfig.ListenersProp, listeners)
-    props.put(KafkaConfig.AdvertisedListenersProp, 
"PLAINTEXT://A:9092,SSL://B:9093")
+  @Test
+  def assertDistinctControllerAndAdvertisedListenersAllowedForKRaftBroker(): 
Unit = {
+    val props = new Properties()
+    props.put(KafkaConfig.ProcessRolesProp, "broker")
+    props.put(KafkaConfig.ListenersProp, 
"PLAINTEXT://A:9092,SSL://B:9093,SASL_SSL://C:9094")
+    props.put(KafkaConfig.AdvertisedListenersProp, 
"PLAINTEXT://A:9092,SSL://B:9093") // explicitly setting it in KRaft
+    props.put(KafkaConfig.ControllerListenerNamesProp, "SASL_SSL")
+    props.put(KafkaConfig.NodeIdProp, "2")
+    props.put(KafkaConfig.QuorumVotersProp, "3@localhost:9094")
+
+    // invalid due to extra listener also appearing in controller listeners
+    assertBadConfigContainingMessage(props,
+      "controller.listener.names must not contain a value appearing in the 
'listeners' configuration when running KRaft with just the broker role")
+
     // Valid now
-    assertTrue(isValidKafkaConfig(props))
+    props.put(KafkaConfig.ListenersProp, "PLAINTEXT://A:9092,SSL://B:9093")
+    KafkaConfig.fromProps(props)
 
-    // Still valid
-    val controllerListeners = "SASL_SSL"
-    props.put(KafkaConfig.ControllerListenerNamesProp, controllerListeners)
-    assertTrue(isValidKafkaConfig(props))
+    // Also valid if we let advertised listeners be derived from 
listeners/controller.listener.names
+    // since listeners and advertised.listeners are explicitly identical at 
this point
+    props.remove(KafkaConfig.AdvertisedListenersProp)
+    KafkaConfig.fromProps(props)
   }
 
   @Test
-  def assertAllControllerListenerCannotBeAdvertised(): Unit = {
-    val props = TestUtils.createBrokerConfig(0, TestUtils.MockZkConnect, port 
= TestUtils.MockZkPort)
+  def assertControllerListenersCannotBeAdvertisedForKRaftBroker(): Unit = {
+    val props = new Properties()
+    props.put(KafkaConfig.ProcessRolesProp, "broker,controller")
     val listeners = "PLAINTEXT://A:9092,SSL://B:9093,SASL_SSL://C:9094"
     props.put(KafkaConfig.ListenersProp, listeners)
-    props.put(KafkaConfig.AdvertisedListenersProp, listeners)
+    props.put(KafkaConfig.AdvertisedListenersProp, listeners) // explicitly 
setting it in KRaft
+    props.put(KafkaConfig.InterBrokerListenerNameProp, "SASL_SSL")
+    props.put(KafkaConfig.ControllerListenerNamesProp, "PLAINTEXT,SSL")
+    props.put(KafkaConfig.NodeIdProp, "2")
+    props.put(KafkaConfig.QuorumVotersProp, "2@localhost:9092")
+    assertBadConfigContainingMessage(props,
+      "advertised.listeners must not contain KRaft controller listeners from 
controller.listener.names when process.roles contains the broker role")
+
     // Valid now
-    assertTrue(isValidKafkaConfig(props))
+    props.put(KafkaConfig.AdvertisedListenersProp, "SASL_SSL://C:9094")
+    KafkaConfig.fromProps(props)
 
-    // Invalid now
-    props.put(KafkaConfig.ControllerListenerNamesProp, 
"PLAINTEXT,SSL,SASL_SSL")
-    assertFalse(isValidKafkaConfig(props))
+    // Also valid if we allow advertised listeners to derive from 
listeners/controller.listener.names
+    props.remove(KafkaConfig.AdvertisedListenersProp)
+    KafkaConfig.fromProps(props)
   }
 
   @Test
-  def assertEvenOneControllerListenerCannotBeAdvertised(): Unit = {
-    val props = TestUtils.createBrokerConfig(0, TestUtils.MockZkConnect, port 
= TestUtils.MockZkPort)
+  def assertAdvertisedListenersDisallowedForKRaftControllerOnlyRole(): Unit = {

Review comment:
       > do we have a test for the scenario where SSL/SASL are in use and no 
controller listener security mapping is defined 
   
   Yes, testControllerListenerNameMapsToPlaintextByDefaultForKRaft() has this 
case.
   




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

[GitHub] [kafka] rondagostino commented on a change in pull request #11503: KAFKA-13456: Tighten KRaft config checks/constraints

Reply via email to