-
Notifications
You must be signed in to change notification settings - Fork 13.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KAFKA-2949: Make EndToEndAuthorizationTest replicated. #631
Conversation
s"zookeeper.connect=$zkConnect", | ||
s"--add", | ||
s"--group=$group", | ||
s"--operation=Read", | ||
s"--allow-principal=$kafkaPrincipalType:$clientPrincipal") | ||
def ClusterActionAcl:Set[Acl] = Set(new Acl(new KafkaPrincipal(kafkaPrincipalType, kafkaPrincipal), Allow, Acl.WildCardHost, ClusterAction)) | ||
def ClusterActionAcl = Set(new Acl(new KafkaPrincipal(kafkaPrincipalType, kafkaPrincipal), Allow, Acl.WildCardHost, ClusterAction)) | ||
def TopicBrokerReadAcl = Set(new Acl(new KafkaPrincipal(kafkaPrincipalType, kafkaPrincipal), Allow, Acl.WildCardHost, Read)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: I think there is an extra space in both lines above.
I think we should change the producer ack config so that it waits for the data to be replicated to all the brokers, at the moment it's:
|
@ijuma Testing all servers sounds better because the ACLs are propagated asynchronously via ZooKeeper, so I've made the change. It turns out that the acks configuration where you commented wasn't really doing anything. The acks mode was hardwired in IntegrationTestHarness, so I've removed it and I've let it use the default of -1. |
This PR LGTM. Regarding how IntegrationTestHarness creates the producer and consumer via |
Just to confirm: the test fails if topicBrokerReadAclArgs is not added right? |
@ijuma yes, some of the test cases are supposed to fail in the case we remove that ACL. testNoProduceAcl doesn't fail, though, because the authorization to produced is refused before anything else. Interestingly, the failure is that there aren't enough replicas available:
because it isn't possible to replicate without authorization, which we can see in the logs:
Although not an issue foe this PR, it doesn't sound like a great way to expose the problem to the application in the case ACLs haven't been properly set, but at the same time, it is not clear how much of internals we want to expose. It is worth thinking about a better way to expose these errors, though. |
Thanks @fpj, good to confirm. Good question regarding how to expose the error. Because the replication error is a server misconfiguration, my feeling is that we don't want to leak that to the clients. In that sense, NotEnoughReplicas seems fine. What I think we should do is to have a mechanism to validate the server security config (could be a tool or a start-up option, not sure). |
I'm not saying we leak it to the client, but just that the message right now gives little guidance to the client about how to solve the problem. I don't think it would be a problem to say something like "there is an authorization issue with your cluster, go talk to your admin." or something like that. But yeah, a topic for a different issue. |
Thanks for the patch. LGTM |
No description provided.