KAFKA-7010: Rename ResourceNameType to PatternType #5205
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
junrao
reviewed
Jun 12, 2018
There was a problem hiding this comment.
@big-andy-coates : Thanks for the patch. LGTM. Just a few minor comments below.
| */ | ||
| ANY((byte) 1), | ||
|
|
||
| /** | ||
| * In a filter, matches any resource pattern type. |
There was a problem hiding this comment.
Hmm, this has to be different from the comment for ANY?
There was a problem hiding this comment.
Classic cut & paste error - how embarrassing. :)
| @@ -345,11 +346,11 @@ object AclCommand extends Logging { | |||
| .describedAs("delegation-token") | |||
| .ofType(classOf[String]) | |||
|
|
|||
| val resourceNameType = parser.accepts("resource-name-type", "The type of the resource name, or any.") | |||
| val resourcePatternType = parser.accepts("resource-pattern-type", "The type of the resource pattern, or any.") | |||
There was a problem hiding this comment.
We want to add MATCH in the description and explain its meaning.
There was a problem hiding this comment.
Added more detail
docs/security.html
Outdated
| <li><b>Prefixed</b> Match any resource whose name starts with the prefix.</li> | ||
| <li><b>All</b> (list|remove only) Matching any name type, including the Wildcard name.</li> | ||
| <li><b>Literal (default):</b> a pattern that only matches a resource if the name is an exact match, or, in the case of the Wildcard name '*', matches all resources. | ||
| All operations, (add, remove, list), will only affect or return acls on literal resource patterns with the exact supplied name. |
There was a problem hiding this comment.
Erm... yes...?
Happy to replace if you can word it better :D
docs/security.html
Outdated
| All operations, (add, remove, list), will only affect or return acls on literal resource patterns with the exact supplied name. | ||
| </li> | ||
| <li><b>Prefixed:</b> a pattern that will match a resource whose name starts with the supplied name. | ||
| All operations, (add, remove, list), will only affect or return acls on prefixed resource patterns with the exact supplied name. |
There was a problem hiding this comment.
As above, yes.
docs/security.html
Outdated
| </li> | ||
| <li><b>Prefixed:</b> a pattern that will match a resource whose name starts with the supplied name. | ||
| All operations, (add, remove, list), will only affect or return acls on prefixed resource patterns with the exact supplied name. | ||
| <li><b>All</b> (list|remove only) |
There was a problem hiding this comment.
Any - updated.
There was a problem hiding this comment.
Should this be MATCH, as per our earlier discussion?
cmccabe
reviewed
Jun 13, 2018
| * Version 1 adds RESOURCE_NAME_TYPE. | ||
| * Also, when the quota is violated, brokers will respond to a version 1 or later request before throttling. | ||
| * Version 1 adds RESOURCE_PATTERN_TYPE, to support more than just literal resource patterns. | ||
| * For more info, see {@link PatternType}. |
There was a problem hiding this comment.
Does the JavaDoc work without the full class path?
There was a problem hiding this comment.
Unlike ScalaDoc, yes, as long as the type is imported, which it is.
cmccabe
reviewed
Jun 13, 2018
| */ | ||
| UNKNOWN((byte) 0), | ||
|
|
||
| /** | ||
| * In a filter, matches any resource name type. | ||
| * In a filter, matches any resource pattern type. | ||
| */ | ||
| ANY((byte) 1), |
There was a problem hiding this comment.
We should rename this to "MATCH" as per our earlier discussion, since its behavior doesn't match the other "ANY" fields
There was a problem hiding this comment.
MATCH is the next one down.
|
Hi @junrao, @cmccabe, I've pushed changes, as requested by @junrao, and also spent some time overhauling Let me know what you think, or merge if you're happy. |
|
Test failure is unrelated |
junrao
approved these changes
Jun 14, 2018
There was a problem hiding this comment.
@big-andy-coates : Thanks for the updated PR. LGTM. Just a few minor typos listed below.
| @@ -345,11 +346,16 @@ object AclCommand extends Logging { | |||
| .describedAs("delegation-token") | |||
| .ofType(classOf[String]) | |||
|
|
|||
| val resourceNameType = parser.accepts("resource-name-type", "The type of the resource name, or any.") | |||
| val resourcePatternType = parser.accepts("resource-pattern-type", "The type of the resource pattern or pattern filter. " + | |||
| "When adding acls, this should a specific pattern type, e.g. 'literal' or 'prefixed'. " + | |||
There was a problem hiding this comment.
this should a =>this should be a
| val resourceNameType = parser.accepts("resource-name-type", "The type of the resource name, or any.") | ||
| val resourcePatternType = parser.accepts("resource-pattern-type", "The type of the resource pattern or pattern filter. " + | ||
| "When adding acls, this should a specific pattern type, e.g. 'literal' or 'prefixed'. " + | ||
| "When listing or removing acls, a specific pattern type can be used to remove acls from specific resource patterns, " + |
There was a problem hiding this comment.
to remove => to list or remove ?
docs/security.html
Outdated
| @@ -1009,7 +1009,7 @@ <h3><a id="security_sasl" href="#security_sasl">7.3 Authentication using SASL</a | |||
| <h3><a id="security_authz" href="#security_authz">7.4 Authorization and ACLs</a></h3> | |||
| Kafka ships with a pluggable Authorizer and an out-of-box authorizer implementation that uses zookeeper to store all the acls. The Authorizer is configured by setting <code>authorizer.class.name</code> in server.properties. To enable the out of the box implementation use: | |||
| <pre>authorizer.class.name=kafka.security.auth.SimpleAclAuthorizer</pre> | |||
| Kafka acls are defined in the general format of "Principal P is [Allowed/Denied] Operation O From Host H On Resource R". You can read more about the acl structure on KIP-11. In order to add, remove or list acls you can use the Kafka authorizer CLI. By default, if a Resource R has no associated acls, no one other than super users is allowed to access R. If you want to change that behavior, you can include the following in server.properties. | |||
| Kafka acls are defined in the general format of "Principal P is [Allowed/Denied] Operation O From Host H On Any Resoure R matching ResourcePattern RP". You can read more about the acl structure in KIP-11 and resource patterns in KIP-290. In order to add, remove or list acls you can use the Kafka authorizer CLI. By default, if no ResourcePatterns match a specific Resource R, then R has no associated acls, and therefore no one other than super users is allowed to access R. If you want to change that behavior, you can include the following in server.properties. | |||
docs/security.html
Outdated
| @@ -1070,31 +1070,30 @@ <h4><a id="security_authz_cli" href="#security_authz_cli">Command Line Interface | |||
| </tr> | |||
| <tr> | |||
| <td>--cluster</td> | |||
| <td>Specifies cluster as resource.</td> | |||
| <td>Indicates to the script tha the user is trying to interact with acls on the singular cluster resource.</td> | |||
docs/security.html
Outdated
| </tr> | ||
| <tr> | ||
| <td>--topic [topic-name]</td> | ||
| <td>Specifies the topic as resource.</td> | ||
| <td>Indicates to the script tha the user is trying to interact with acls on topic resource pattern(s).</td> |
docs/security.html
Outdated
| You can add acls on any resource of a certain type, e.g. suppose you wanted to add an acl "Principal User:Peter is allowed to produce to any Topic from IP 198.51.200.0" | ||
| You can do that by using the wildcard resource '*', e.g. by executing the CLI with following options: | ||
| <pre class="brush: bash;">bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --add --allow-principal User:Peter --allow-host 198.51.200.1 --producer --topic *</pre> | ||
| You can add acls on resources matching a certain prefix, e.g. suppose you want to add an acl "Principal User:Jane is allowed to produce to any Topic whose name is prefixed with 'Test-' from any host". | ||
| You can add acls on prefixed resource patterns, e.g. suppose you want to add an acl "Principal User:Jane is allowed to produce to any Topic whose name is starts with 'Test-' from any host". |
docs/security.html
Outdated
| <pre class="brush: bash;">bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --topic *</pre> | ||
| However, it is not necessarily possible to explicitly query for acls on prefixed resource patterns that match Test-topic as the name of such patterns may not be known. | ||
| We can list <i>all</i> acls affecting Test-topic by using '--resource-pattern-type match', e.g. | ||
| <pre class="brush: bash;">bin/kafka-acls.sh --authorizer-properties zookeeper.connect=localhost:2181 --list --topic Test-topic --resource-pattern-type any</pre> |
There was a problem hiding this comment.
--resource-pattern-type any => --resource-pattern-type match
|
test this please |
junrao
pushed a commit
that referenced
this pull request
Jun 14, 2018
The initial PR for KIP-290 #5117 added a new `ResourceNameType`, which was initially a field on `Resource` and `ResourceFilter`. However, follow on PRs have now moved the name type fields to new `ResourcePattern` and `ResourcePatternFilter` classes. This means the old name is no longer valid and may be confusing. The PR looks to rename the class to a more intuitive `resource.PatternType`. @cmccabe also requested that the current `ANY` value for this class be renamed to avoid confusion. `PatternType.ANY` currently causes `ResourcePatternFilter` to bring back all ACLs that would affect the supplied resource, i.e. it brings back literal, wildcard ACLs, and also does pattern matching to work out which prefix acls would affect the resource. This is very different from the behaviour of `ResourceType.ANY`, which just means the filter ignores the type of resources. `ANY` is to be renamed to `MATCH` to disambiguate it from other `ANY` filter types. A new `ANY` will be added that works in the same way as others, i.e. it will cause the filter to ignore the pattern type, (but won't do any pattern matching). Reviewers: Colin Patrick McCabe <colin@cmccabe.xyz>, Jun Rao <junrao@gmail.com>
ying-zheng
pushed a commit
to ying-zheng/kafka
that referenced
this pull request
Jul 6, 2018
The initial PR for KIP-290 apache#5117 added a new `ResourceNameType`, which was initially a field on `Resource` and `ResourceFilter`. However, follow on PRs have now moved the name type fields to new `ResourcePattern` and `ResourcePatternFilter` classes. This means the old name is no longer valid and may be confusing. The PR looks to rename the class to a more intuitive `resource.PatternType`. @cmccabe also requested that the current `ANY` value for this class be renamed to avoid confusion. `PatternType.ANY` currently causes `ResourcePatternFilter` to bring back all ACLs that would affect the supplied resource, i.e. it brings back literal, wildcard ACLs, and also does pattern matching to work out which prefix acls would affect the resource. This is very different from the behaviour of `ResourceType.ANY`, which just means the filter ignores the type of resources. `ANY` is to be renamed to `MATCH` to disambiguate it from other `ANY` filter types. A new `ANY` will be added that works in the same way as others, i.e. it will cause the filter to ignore the pattern type, (but won't do any pattern matching). Reviewers: Colin Patrick McCabe <colin@cmccabe.xyz>, Jun Rao <junrao@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix for KAFKA-7010.
The initial PR for KIP-290 #5117 added a new
ResourceNameType, which was initially a field onResourceandResourceFilter. However, follow on PRs have now moved the name type fields to newResourcePatternandResourcePatternFilterclasses. This means the old name is no longer valid and may be confusing. The PR looks to rename the class to a more intuitiveresource.PatternType.@cmccabe also requested that the current
ANYvalue for this class be renamed to avoid confusion.PatternType.ANYcurrently causesResourcePatternFilterto bring back all ACLs that would affect the supplied resource, i.e. it brings back literal, wildcard ACLs, and also does pattern matching to work out which prefix acls would affect the resource. This is very different from the behaviour ofResourceType.ANY, which just means the filter ignores the type of resources.ANYis to be renamed toMATCHto disambiguate it from otherANYfilter types. A newANYwill be added that works in the same way as others, i.e. it will cause the filter to ignore the pattern type, (but won't do any pattern matching).cc @junrao
Committer Checklist (excluded from commit message)