KAFKA-3396 : Unauthorized topics are returned to the user#1908
KAFKA-3396 : Unauthorized topics are returned to the user#1908edoardocomar wants to merge 14 commits intoapache:trunkfrom
Conversation
There was a problem hiding this comment.
thanks for spotting that shameful oops, @ijuma . full test passes
|
Hi @ijuma all tests seem to have passed (they do locally for me) but the Jenkins build failed |
|
Thanks @edoardocomar, will take another look soon. Can you please add a note to |
There was a problem hiding this comment.
There should be no space before the :. There are a few other cases like that.
There was a problem hiding this comment.
I think the usage of INVALID_TOPIC_EXCEPTION is intentional here. One of the differences is that INVALID_TOPIC_EXCEPTION is not retriable. @granthenke, is that right?
There was a problem hiding this comment.
I think changing to a UNKNOWN_TOPIC_OR_PARTITION exception might make sense in this case. Especially if that is the behavior we are using for the other requests where a topic is not authorized and we don't want to leak the information. Consistency is always easier to reason about.
The most important thing is that the exception doesn't give any indication of whether or not the topic exists. Its behavior should the same as if the topic isn't there at all. If this exception is changed, I think the InvalidTopicException in AdminUtils may need to be changed too:
https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/admin/AdminUtils.scala#L328
|
added a note to |
docs/upgrade.html
Outdated
hachikuji
left a comment
hachikuji
left a comment
There was a problem hiding this comment.
Left a couple more comments. It's looking pretty good on the server side. However, I still do not see any checks on the client side in the offset fetch and offset commit response handlers for the UNKNOWN_TOPIC_OR_PARTITION error code. I feel it would also be helpful when we catch this error explicitly and retry internally to log a message which mentions that the user may not have Describe access. Is there any reason we shouldn't do this?
There was a problem hiding this comment.
Would it be easier to handle the logging for this case in the initial call to partition above? May as well save the redundant cache lookup and it seems possible that the cache may have changed in between the first check and this one. Another minor point: is it worthwhile checking if DEBUG is enabled prior to doing this loop?
There was a problem hiding this comment.
For discussion: Since Write access subsumes Describe, I'm wondering if it would make sense to change the order of the checks to something like this:
- Check for Write access on all topics.
- For those topics without Write access:
- If no Describe access or not exists -> UNKNOWN_TOPIC_OR_PARTITION
- Otherwise -> TOPIC_AUTHORIZATION_FAILED
The intuition is that failing Write should be the exceptional case. The one annoying thing is that you also need to check existence for topics which are authorized for Write. The fetch request handler could be done similarly since Read access also subsumes Describe.
There was a problem hiding this comment.
@ijuma Is it correct that we return TOPIC_AUTHORIZATION_FAILED here? Whether or not it's ideal, the authorization check is on the Cluster resource currently.
There was a problem hiding this comment.
That's a bit weird, isn't it? In a KIP discussion, we had said that we wanted to change it so that one would require a Create Topic instead of Create Cluster ACL for topic creation (would probably need both for compatibility), so it seems reasonable to keep throwing a TOPIC_AUTHORIZATION_FAILED here.
There was a problem hiding this comment.
Ack. I agree that this is probably better long term, even if it's a little misleading at the moment.
edoardocomar
changed the title
|
Handling UTOP in consumerCoordinator handleResponse for fetchOffset and commitOffset, with more descriptive msg |
edoardocomar
force-pushed
the
KAFKA-3396
branch
from
d18fbe1 to
5e92586
Compare
|
rebased/merged and fixed spurious test failure |
|
@ijuma the Jenkins build failed to complete again. However all tests pass locally for me |
|
I've been running system tests against this branch. There were a couple test failures, but I think they are known transient failures. I'm running again to be sure. In the meantime, I'll do another pass over the code and hopefully we can merge this today. |
Modified KafkaApis to return Errors.UNKNOWN_TOPIC_OR_PARTITION if principal has no Describe access to topic Unit tests expanded Some paths cause the client to block due to bug https://issues.apache.org/jira/browse/KAFKA-3727?filter=-2 tests work around this by executing in separate thread
- Added tests from 44ad3ec - Small refactorings
Rebased after kip-79 changes. Fixing leak of topic for LIST_OFFSETS when unauthorized. Added tests.
cleanup after review
Cleanup addressing comments
Cleanup addressing comments
Revised handling of FETCH PRODUCE and DELETE requests
oops had commented out part os a test by mistake
addressing comments: code formatting, not in upgrade.html
addressing comments: missing </li>
addressing comments: handling UTOP in ConsumerCoordinator offset fetch/commit improved logging efficiency on the server
test cleanup and fixing intermittent failure
throwing UTOP also form AdminUtils.delete
|
@hachikuji I rebased and rerun all the tests locally on my mac and they pass. |
edoardocomar
force-pushed
the
KAFKA-3396
branch
from
15d1f23 to
52232c9
Compare
|
LGTM. Merging to trunk and 0.10.1. Thanks @edoardocomar and @mimaison for the hard work (and patience) on this patch! I have some minor cleanups/improvements on the client and in testing, which I will submit in a follow-up PR. |
Reopening of #1428 Author: Edoardo Comar <ecomar@uk.ibm.com> Author: Mickael Maison <mickael.maison@gmail.com> Reviewers: Grant Henke <granthenke@gmail.com>, Ismael Juma <ismael@juma.me.uk>, Jason Gustafson <jason@confluent.io> Closes #1908 from edoardocomar/KAFKA-3396 (cherry picked from commit 8124f6e) Signed-off-by: Jason Gustafson <jason@confluent.io>
|
By the way, I changed the title. Hopefully it's reasonable. |
5 participants
Reopening of #1428