KAFKA-12394: Return TOPIC_AUTHORIZATION_FAILED in delete topic response if no describe permission
#10223
Conversation
There was a problem hiding this comment.
@hachikuji Thanks for the PR. That makes sense. I have left a meta question. Besides this, the PR looks good.
| } else if (topicIdsFromRequest.contains(topic.topicId) && !authorizedDescribeTopics(topic.name)) { | ||
| // Because the client does not have Describe permission, the name should | ||
| // not be returned in the response. | ||
| topic.setName(null) |
There was a problem hiding this comment.
I just noticed that the Name in the schema [1] used mapKey: true. I wonder if we should remove it now that Name is nullable. Usually, when we use mapKey, we expect to be able to query with the name and this is not always the case now. It seems that we don't rely on it in the admin client but we do in tests. What do you think?
There was a problem hiding this comment.
That's a good question. I agree using mapKey makes less sense now. Let me try it out. If the diff is not too bad, we can do it here. Otherwise, we can do it separately.
There was a problem hiding this comment.
We have one dependence here which makes this a little more work than I wanted to do here: https://github.com/apache/kafka/blob/trunk/core/src/main/scala/kafka/server/KafkaApis.scala#L1909. I filed a separate JIRA so that we don't forget about it: https://issues.apache.org/jira/browse/KAFKA-12395.
| assertEquals(Some(Errors.UNKNOWN_TOPIC_OR_PARTITION), lookupErrorCode("baz")) | ||
| } | ||
|
|
||
| def expectTopicAuthorization( |
There was a problem hiding this comment.
Could we simplify this method using AuthHelperTest.matchSameElements().
There was a problem hiding this comment.
I looked at doing this, but the need to preserve order in the result makes it just as cumbersome. The capture also provides some type safety and avoids the need for casting from the argument list.
There was a problem hiding this comment.
@hachikuji Thanks for your patch. a couple of comments are left. BTW, it would be better that error code can be consistent to #10184.
| // Because the client does not have Describe permission, the name should | ||
| // not be returned in the response. | ||
| topic.setName(null) | ||
| topic.setErrorCode(Errors.UNKNOWN_TOPIC_ID.code) |
There was a problem hiding this comment.
I prepared to discuss this error code on #10184 (comment) :)
return UNKNOWN_TOPIC_ID
Could you add clear error message to this response (call setErrorMessage)? I can imagine users get confusing for the error code UNKNOWN_TOPIC_ID because it presents two scenarios now (the id does not exist or you have no permission to describe topic).
return TOPIC_AUTHORIZATION_FAILED
It indicates accurate error and it can help user handle un-authorized requests. Personally, this error is more suitable :)
There was a problem hiding this comment.
I think the issue with TOPIC_AUTHORIZATION_FAILED is that we are returning a different error message than the case where the topic ID does not exists and we are implying the existence of a topic when we should not be.
There was a problem hiding this comment.
I made the comment before fully realizing how topic IDs were complicating the matter. I filed this JIRA to discuss further: https://issues.apache.org/jira/browse/KAFKA-12394. I'd suggest that we keep the current behavior in this PR and fix the small issue. It would be good to have the tests in any case.
|
Not sure whether it is possible to have a helper method to process this complicated code for both |
|
It also seems like this part of KafkaApis is completely rewritten in #10184. So maybe any changes to KafkaApis should be addressed in that PR? |
|
@hachikuji Ah sorry. I was misreading the file name. Makes sense. |
hachikuji
changed the title
DeleteTopic response if no describe permissionTOPIC_AUTHORIZATION_FAILED in delete topic response if no describe permission
There was a problem hiding this comment.
@hachikuji thanks for consolidating the exception handle. one small question is left.
| // this case with `UNKNOWN_TOPIC_ID`. | ||
| topic.setName(null) | ||
| topic.setErrorCode(Errors.TOPIC_AUTHORIZATION_FAILED.code) | ||
| } else if (!authorizedDeleteTopics.contains(topic.name)) { |
There was a problem hiding this comment.
according to #10184 (comment), should it handle the case name provided, topic missing, describable => UNKNOWN_TOPIC_OR_PARTITION?
There was a problem hiding this comment.
I guess there are really two sub-cases. Here's how they are currently handled:
name provided, topic missing, describable, deletable => UNKNOWN_TOPIC_OR_PARTITION
name provided, topic missing, describable, undeletable => TOPIC_AUTHORIZATION_FAILED
This seems defensible to me. The UNKNOWN_TOPIC_OR_PARTITION error will cause the client to retry because of the possibility of stale metadata, but it can't delete the topic anyway because of the authorization failure. It seems better to fail fast?
There was a problem hiding this comment.
This seems defensible to me. The UNKNOWN_TOPIC_OR_PARTITION error will cause the client to retry because of the possibility of stale metadata, but it can't delete the topic anyway because of the authorization failure. It seems better to fail fast?
That makes sense to me. We have to make sure this rule is applied to #10184 :)
…onse if no describe permission (#10223) We now accept topicIds in the `DeleteTopic` request. If the client principal does not have `Describe` permission, then we return `TOPIC_AUTHORIZATION_FAILED`. This is justified because the topicId is not considered sensitive. However, in this case, we should not return the name of the topic in the response since we do consider it sensitive. Reviewers: David Jacot <[email protected]>, dengziming <[email protected]>, Justine Olshan <[email protected]>, Chia-Ping Tsai <[email protected]>
* apache-github/trunk: (37 commits) KAFKA-10357: Extract setup of changelog from Streams partition assignor (apache#10163) KAFKA-10251: increase timeout for consuming records (apache#10228) KAFKA-12394; Return `TOPIC_AUTHORIZATION_FAILED` in delete topic response if no describe permission (apache#10223) MINOR: Disable transactional/idempotent system tests for Raft quorums (apache#10224) KAFKA-10766: Unit test cases for RocksDBRangeIterator (apache#9717) KAFKA-12289: Adding test cases for prefix scan in InMemoryKeyValueStore (apache#10052) KAFKA-12268: Implement task idling semantics via currentLag API (apache#10137) MINOR: Time and log producer state recovery phases (apache#10241) MINOR: correct the error message of validating uint32 (apache#10193) MINOR: Format the revoking active log output in `StreamsPartitionAssignor` (apache#10242) KAFKA-12323 Follow-up: Refactor the unit test a bit (apache#10205) MINOR: Remove stack trace of the lock exception in a debug log4j (apache#10231) MINOR: Word count should account for extra whitespaces between words (apache#10229) MINOR; Small refactor in `GroupMetadata` (apache#10236) KAFKA-10340: Proactively close producer when cancelling source tasks (apache#10016) KAFKA-12329; kafka-reassign-partitions command should give a better error message when a topic does not exist (apache#10141) KAFKA-12254: Ensure MM2 creates topics with source topic configs (apache#10217) MINOR: fix kafka-metadata-shell.sh (apache#10226) KAFKA-12374: Add missing config sasl.mechanism.controller.protocol (apache#10199) KAFKA-10101: Fix edge cases in Log.recoverLog and LogManager.loadLogs (apache#8812) ...
We now accept topicIds in the
DeleteTopicrequest. If the client principal does not haveDescribepermission, then we returnTOPIC_AUTHORIZATION_FAILED. This is justified because the topicId is not considered sensitive. However, in this case, we should not return the name of the topic in the response since it is sensitive.Committer Checklist (excluded from commit message)