You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kafka.apache.org by rs...@apache.org on 2018/07/20 19:35:17 UTC
[kafka] branch trunk updated: KAFKA-7185: Allow empty resource name
when matching ACLs (#5400)
This is an automated email from the ASF dual-hosted git repository.
rsivaram pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git
The following commit(s) were added to refs/heads/trunk by this push:
new 9449f05 KAFKA-7185: Allow empty resource name when matching ACLs (#5400)
9449f05 is described below
commit 9449f055c7a0b340a8d69d7365c5817464b2f6ed
Author: Dhruvil Shah <dh...@confluent.io>
AuthorDate: Fri Jul 20 12:35:12 2018 -0700
KAFKA-7185: Allow empty resource name when matching ACLs (#5400)
Reviewers: Ismael Juma <is...@juma.me.uk>, Rajini Sivaram <ra...@googlemail.com>
---
.../scala/kafka/security/auth/SimpleAclAuthorizer.scala | 2 +-
.../unit/kafka/security/auth/SimpleAclAuthorizerTest.scala | 13 +++++++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
diff --git a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
index 5535258..e77656d 100644
--- a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
+++ b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
@@ -238,7 +238,7 @@ class SimpleAclAuthorizer extends Authorizer with Logging {
val prefixed = aclCache.range(
Resource(resourceType, resourceName, PatternType.PREFIXED),
- Resource(resourceType, resourceName.substring(0, 1), PatternType.PREFIXED)
+ Resource(resourceType, resourceName.take(1), PatternType.PREFIXED)
)
.filterKeys(resource => resourceName.startsWith(resource.name))
.flatMap { case (resource, versionedAcls) => versionedAcls.acls }
diff --git a/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala b/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
index 5b65a7f..5461413 100644
--- a/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
+++ b/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
@@ -93,6 +93,19 @@ class SimpleAclAuthorizerTest extends ZooKeeperTestHarness {
}
@Test
+ def testAuthorizeWithEmptyResourceName(): Unit = {
+ assertFalse(simpleAclAuthorizer.authorize(session, Read, Resource(Group, "", LITERAL)))
+ simpleAclAuthorizer.addAcls(Set[Acl](allowReadAcl), Resource(Group, WildCardResource, LITERAL))
+ assertTrue(simpleAclAuthorizer.authorize(session, Read, Resource(Group, "", LITERAL)))
+ }
+
+ // Authorizing the empty resource is not supported because we create a znode with the resource name.
+ @Test(expected = classOf[IllegalArgumentException])
+ def testEmptyAclThrowsException(): Unit = {
+ simpleAclAuthorizer.addAcls(Set[Acl](allowReadAcl), Resource(Group, "", LITERAL))
+ }
+
+ @Test
def testTopicAcl() {
val user1 = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, username)
val user2 = new KafkaPrincipal(KafkaPrincipal.USER_TYPE, "rob")