[GitHub] [kafka] showuon commented on a change in pull request #9789: KAFKA-10891:The control plane needs to force the validation of requests from the controller

[GitBox <gi...@apache.org>]

showuon commented on a change in pull request #9789:
URL: https://github.com/apache/kafka/pull/9789#discussion_r550064975



##########
File path: core/src/main/scala/kafka/network/SocketServer.scala
##########
@@ -988,60 +994,72 @@ private[kafka] class Processor(val id: Int,
     }
   }
 
+  private def isControlRequest(header: RequestHeader): Boolean = {
+    header.apiKey() match {
+      case ApiKeys.LEADER_AND_ISR | ApiKeys.STOP_REPLICA | ApiKeys.UPDATE_METADATA | ApiKeys.CONTROLLED_SHUTDOWN => true
+      case _ => false
+    }
+  }
+
   private def processCompletedReceives(): Unit = {
     selector.completedReceives.forEach { receive =>
       try {
         openOrClosingChannel(receive.source) match {
           case Some(channel) =>
             val header = parseRequestHeader(receive.payload)
-            if (header.apiKey == ApiKeys.SASL_HANDSHAKE && channel.maybeBeginServerReauthentication(receive,
-              () => time.nanoseconds()))
-              trace(s"Begin re-authentication: $channel")
-            else {
-              val nowNanos = time.nanoseconds()
-              if (channel.serverAuthenticationSessionExpired(nowNanos)) {
-                // be sure to decrease connection count and drop any in-flight responses
-                debug(s"Disconnecting expired channel: $channel : $header")
-                close(channel.id)
-                expiredConnectionsKilledCount.record(null, 1, 0)
-              } else {
-                val connectionId = receive.source
-                val context = new RequestContext(header, connectionId, channel.socketAddress,
-                  channel.principal, listenerName, securityProtocol,
-                  channel.channelMetadataRegistry.clientInformation, isPrivilegedListener, channel.principalSerde)
-
-                var req = new RequestChannel.Request(processor = id, context = context,
-                  startTimeNanos = nowNanos, memoryPool, receive.payload, requestChannel.metrics, None)
-
-                if (req.header.apiKey == ApiKeys.ENVELOPE) {
-                  // Override the request context with the forwarded request context.
-                  // The envelope's context will be preserved in the forwarded context
-
-                  req = parseForwardedPrincipal(req, channel.principalSerde.asScala) match {
-                    case Some(forwardedPrincipal) =>
-                      buildForwardedRequestContext(req, forwardedPrincipal)
-
-                    case None =>
-                      val envelopeResponse = new EnvelopeResponse(Errors.PRINCIPAL_DESERIALIZATION_FAILURE)
-                      sendEnvelopeResponse(req, envelopeResponse)
-                      null
+            if (isControlPlane && !isControlRequest(header)) {
+              info(s"Current plane is control plan, disconnecting non controller channel: $channel : $header")

Review comment:
       typo: control plane




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org