KAFKA-13889: Fix AclsDelta to handle ACCESS_CONTROL_ENTRY_RECORD quickly followed by REMOVE_ACCESS_CONTROL_ENTRY_RECORD for same ACL #12160
Conversation
andymg3
force-pushed
the
KAFKA-13889
branch
3 times, most recently
from
57a6b08
to
3ef6626
Compare
| if (image.acls().containsKey(record.id())) { | ||
| changes.put(record.id(), Optional.empty()); | ||
| } else if (changes.containsKey(record.id())) { | ||
| changes.remove(record.id()); |
There was a problem hiding this comment.
Btw, the Jira mentions that we don't have "remove acl" to be idempotent. "Remove acl" is idempotent if they are process in the same batch/delta.
There was a problem hiding this comment.
Do you mind clarifying? With the exception thrown below I think ACL removal is still not idempotent. If an ACL is added, then removed, then removed again, then the exception below will be thrown as it would have been removed from the Map.
There was a problem hiding this comment.
You are correct. I missed the else if.
| } else if (changes.containsKey(record.id())) { | ||
| changes.remove(record.id()); | ||
| } else { | ||
| throw new RuntimeException("Failed to find existing ACL with ID " + record.id() + " in either image or changes"); |
There was a problem hiding this comment.
Can we throw an IllegalStateException?
There was a problem hiding this comment.
I agree that exception is more appropriate. I went with RuntimeException because thats what we throw in AclControlManager (https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/controller/AclControlManager.java#L202) when we come across a removal unexpectedly. My thought process was to be consistent. Having said that, they are two different components so I'm fine updating it here to IllegalStateException. Do you think we should throw the same exception in AclControlManager?
| @@ -61,7 +61,13 @@ public void replay(AccessControlEntryRecord record) { | |||
| } | |||
|
|
|||
| public void replay(RemoveAccessControlEntryRecord record) { | |||
There was a problem hiding this comment.
Can we document this method? Seems subtle enough to warrant documentation.
There was a problem hiding this comment.
Will add a java doc to this method.
| changes.remove(record.id()); | ||
| } else { | ||
| throw new RuntimeException("Failed to find existing ACL with ID " + record.id() + " in either image or changes"); | ||
| } |
There was a problem hiding this comment.
This comment is for:
public Map<Uuid, Optional<StandardAcl>> changes() {
return changes;
}Can we document this method? I am particularly interested on the return type. I get the impression that a value of Optional.empty should interpreted as a delete.
There was a problem hiding this comment.
That's correct and that's the existing behavior. I'll add a comment clarifying that.
| import java.util.Optional; | ||
|
|
||
| @Timeout(40) | ||
| public class AclsDeltaTest { |
There was a problem hiding this comment.
I am okay moving these test to AclImageTest. The two types are closely related. We already have "delta" tests in the "image" suite.
There was a problem hiding this comment.
Hmm yeah that's true. I guess I don't see a big downside of having a separate test class as obviously it is different to some degree. So will keep the separate test class unless you have concerns.
|
|
||
| delta.replay(inputAclRecord); | ||
| assertTrue(delta.changes().containsKey(aclId)); | ||
| assertTrue(delta.changes().get(aclId).isPresent()); |
There was a problem hiding this comment.
I think you can remove this since you are implicitly testing this in the line below.
There was a problem hiding this comment.
True but delta.changes().get(aclId) could return null in which case we'd throw a NPE which would be a bit more challenging to debug from the test logs in my view so will leave as is unless you have concerns.
There was a problem hiding this comment.
Agree but now that you have assertEquals(Optional.of(testStandardAcl()), delta.changes().get(aclId)); there shouldn't be a NPE, right?
There was a problem hiding this comment.
Good point. I think I can get rid of those two above assertions now. I just tested this with an invalid input to the Map and saw:
AclsDeltaTest > testRemovesDeleteIfNotInImage() FAILED
org.opentest4j.AssertionFailedError: expected: <Optional[StandardAcl(resourceType=ANY, resourceName=foo, patternType=ANY, principal=User:user, host=host, operation=ANY, permissionType=ANY)]> but was: <null>
So we should be safe from seeing a NPE. Will update.
| delta.replay(inputAclRecord); | ||
| assertTrue(delta.changes().containsKey(aclId)); | ||
| assertTrue(delta.changes().get(aclId).isPresent()); | ||
| assertEquals(testStandardAcl(), delta.changes().get(aclId).get()); |
There was a problem hiding this comment.
You can remove the get() and compare it against Optional.of(testStandardAcl()).
There was a problem hiding this comment.
Agree that's cleaner and it prevents NPEs if delta.changes().get(aclId) returns null
| } | ||
|
|
||
| @Test | ||
| public void testThrowsExceptionOnInvalidState() { |
There was a problem hiding this comment.
Can we also test with an AclsImage that has ACLs but for the one being removed?
| if (image.acls().containsKey(record.id())) { | ||
| changes.put(record.id(), Optional.empty()); | ||
| } else if (changes.containsKey(record.id())) { | ||
| changes.remove(record.id()); |
There was a problem hiding this comment.
You are correct. I missed the else if.
|
|
||
| delta.replay(inputAclRecord); | ||
| assertTrue(delta.changes().containsKey(aclId)); | ||
| assertTrue(delta.changes().get(aclId).isPresent()); |
There was a problem hiding this comment.
Agree but now that you have assertEquals(Optional.of(testStandardAcl()), delta.changes().get(aclId)); there shouldn't be a NPE, right?
…kly followed by REMOVE_ACCESS_CONTROL_ENTRY_RECORD for same ACL
JIRA
https://issues.apache.org/jira/browse/KAFKA-13889
Description
AclsDeltato handleACCESS_CONTROL_ENTRY_RECORDquickly followed byREMOVE_ACCESS_CONTROL_ENTRY_RECORDfor same ACLchangesMap. This could override a creation that might have just happened. This is an issue because inBrokerMetadataPublisherthis results in us making aremoveAclcall which finally results in https://github.com/apache/kafka/blob/trunk/metadata/src/main/java/org/apache/kafka/metadata/authorizer/StandardAuthorizerData.java#L203 being executed and this code throws an exception if the ACL isnt in the Map yet. If theACCESS_CONTROL_ENTRY_RECORDevent never got processed byBrokerMetadataPublisherthen the ACL wont be in the Map yet.changesMap if the ACL doesnt exist in the image yet.Testing
Committer Checklist (excluded from commit message)