Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
jolshan merged PR #15837: URL: https://github.com/apache/kafka/pull/15837 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
jolshan commented on code in PR #15837: URL: https://github.com/apache/kafka/pull/15837#discussion_r1594302492 ## core/src/test/scala/unit/kafka/server/KafkaApisTest.scala: ## @@ -2822,6 +2822,31 @@ class KafkaApisTest extends Logging { () => kafkaApis.handleWriteTxnMarkersRequest(null, RequestLocal.withThreadConfinedCaching)) } + @Test + def requiredAclsNotPresentWriteTxnMarkersThrowsAuthorizationException(): Unit = { Review Comment: Did we make this modification? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
jolshan commented on code in PR #15837: URL: https://github.com/apache/kafka/pull/15837#discussion_r1594302111 ## core/src/test/scala/unit/kafka/server/KafkaApisTest.scala: ## @@ -3036,15 +3061,32 @@ class KafkaApisTest extends Logging { assertEquals(expectedErrors, markersResponse.errorsByProducerId.get(1L)) } - @Test - def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion(): Unit = { + @ParameterizedTest + @ValueSource(strings = Array("ALTER", "CLUSTER_ACTION")) + def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion(allowedAclOperation: String): Unit = { val topicPartition = new TopicPartition("t", 0) val request = createWriteTxnMarkersRequest(asList(topicPartition))._2 when(replicaManager.getMagic(topicPartition)) .thenReturn(Some(RecordBatch.MAGIC_VALUE_V2)) val requestLocal = RequestLocal.withThreadConfinedCaching -kafkaApis = createKafkaApis() + +// Allowing WriteTxnMarkers API with the help of AlterCluster ACL. Review Comment: nit: should we include both acls? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
sidyag commented on code in PR #15837: URL: https://github.com/apache/kafka/pull/15837#discussion_r1593693523 ## core/src/test/scala/unit/kafka/server/KafkaApisTest.scala: ## @@ -3037,14 +3062,71 @@ class KafkaApisTest extends Logging { } @Test - def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion(): Unit = { + def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion_allowedWithAlterCluster(): Unit = { Review Comment: Made the changes. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
jolshan commented on code in PR #15837: URL: https://github.com/apache/kafka/pull/15837#discussion_r1593105981 ## core/src/test/scala/unit/kafka/server/KafkaApisTest.scala: ## @@ -3037,14 +3062,71 @@ class KafkaApisTest extends Logging { } @Test - def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion(): Unit = { + def shouldAppendToLogOnWriteTxnMarkersWhenCorrectMagicVersion_allowedWithAlterCluster(): Unit = { Review Comment: nit: we typically don't use underscores in method names like this. Can we stick to camel case here? Also can we parameterize this test? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
jolshan commented on PR #15837: URL: https://github.com/apache/kafka/pull/15837#issuecomment-2098727340 Sorry I was out of town (at KSB). I will try to take a look today, but thanks Luke for approving as well :) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
sidyag commented on code in PR #15837: URL: https://github.com/apache/kafka/pull/15837#discussion_r1592106849 ## core/src/test/scala/unit/kafka/server/KafkaApisTest.scala: ## @@ -2822,6 +2822,31 @@ class KafkaApisTest extends Logging { () => kafkaApis.handleWriteTxnMarkersRequest(null, RequestLocal.withThreadConfinedCaching)) } + @Test + def requiredAclsNotPresentWriteTxnMarkersThrowsAuthorizationException(): Unit = { Review Comment: That is the happy case path verified by existing tests. As mocks are not present there, by default the CLUSTER_ACTION check doesn't throw an exception, and the ALTER check returns false. I can modify the existing tests to make that explicit and duplicate it to test for the second scenario. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
sidyag commented on code in PR #15837: URL: https://github.com/apache/kafka/pull/15837#discussion_r1592106849 ## core/src/test/scala/unit/kafka/server/KafkaApisTest.scala: ## @@ -2822,6 +2822,31 @@ class KafkaApisTest extends Logging { () => kafkaApis.handleWriteTxnMarkersRequest(null, RequestLocal.withThreadConfinedCaching)) } + @Test + def requiredAclsNotPresentWriteTxnMarkersThrowsAuthorizationException(): Unit = { Review Comment: That is the happy case path verified by existing tests. As mocks are not present there, by default the CLUSTER_ACTION check doesn't throw an exception, and the ALTER check returns false. I can modify the existing tests to make that explicit. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
showuon commented on code in PR #15837: URL: https://github.com/apache/kafka/pull/15837#discussion_r1591749069 ## core/src/test/scala/unit/kafka/server/KafkaApisTest.scala: ## @@ -2822,6 +2822,31 @@ class KafkaApisTest extends Logging { () => kafkaApis.handleWriteTxnMarkersRequest(null, RequestLocal.withThreadConfinedCaching)) } + @Test + def requiredAclsNotPresentWriteTxnMarkersThrowsAuthorizationException(): Unit = { Review Comment: For this test, it can pass without this change. Maybe we need a test to verify it won't throw exception when alter cluster is allowed, and clusterAction is denied, it won't throw exception. WDYT? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
sidyag commented on PR #15837: URL: https://github.com/apache/kafka/pull/15837#issuecomment-2088272313 > The only comment is that we should update 1) the documentation in docs/security.html#operations_resources_and_protocols to mention this change 2) the release notes of 3.8 once they are created. I am happy for 1) to be done either as part of this pull request or as a follow-up one 😊 I have added the documentation in docs/security.html#operations_resources_and_protocols -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
clolov commented on PR #15837: URL: https://github.com/apache/kafka/pull/15837#issuecomment-2088221738 I looked over the failures in the build, but the test failures appear to be unrelated to this change -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
clolov commented on PR #15837: URL: https://github.com/apache/kafka/pull/15837#issuecomment-2088220856 Heya @jolshan since you cast a vote on the KIP would you have some time to review this pull request as well? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
clolov commented on PR #15837: URL: https://github.com/apache/kafka/pull/15837#issuecomment-2088220267 The only comment is that we should update 1) the documentation in docs/security.html#operations_resources_and_protocols to mention this change 2) the release notes of 3.8 once they are created. I am happy for 1) to be done either as part of this pull request or as a follow-up one 😊 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[PR] Allowing WriteTxnMarkers API to run with AlterCluster permissions [kafka]
sidyag opened a new pull request, #15837: URL: https://github.com/apache/kafka/pull/15837 Allowing WriteTxnMarkers API to run with AlterCluster permissions https://issues.apache.org/jira/browse/KAFKA-16513 https://cwiki.apache.org/confluence/display/KAFKA/KIP-1037%3A+Allow+WriteTxnMarkers+API+with+Alter+Cluster+Permission *More detailed description of your change, if necessary. The PR title and PR message become the squashed commit message, so use a separate comment to ping reviewers.* *Summary of testing strategy (including rationale) for the feature or bug fix. Unit and/or integration tests are expected for any behaviour change and system tests should be considered for larger changes.* ### Committer Checklist (excluded from commit message) - [ ] Verify design and implementation - [ ] Verify test coverage and CI build status - [ ] Verify documentation (including upgrade notes) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org