Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

KAFKA-8530; Check for topic authorization errors in OffsetFetch response #6928

Merged
merged 1 commit into from Jun 14, 2019

Conversation

@hachikuji
Copy link
Contributor

commented Jun 12, 2019

The OffsetFetch requires Topic Describe permission. If a client does not have this, we return TOPIC_AUTHORIZATION_FAILED at the partition level. Currently the consumer does not handle this error explicitly, but raises it as a generic KafkaException. For consistency with other APIs and to fix transient test failures, we should raise TopicAuthorizationFailedException instead.

Note that this fixes some transient failures in PlaintextEndToEndAuthorizationTest.

Committer Checklist (excluded from commit message)

  • Verify design and implementation
  • Verify test coverage and CI build status
  • Verify documentation (including upgrade notes)
@ijuma
ijuma approved these changes Jun 14, 2019
Copy link
Contributor

left a comment

LGTM, thanks.

@ijuma

This comment has been minimized.

Copy link
Contributor

commented Jun 14, 2019

Out of curiosity, did you see transient test failures related to this?

@hachikuji

This comment has been minimized.

Copy link
Contributor Author

commented Jun 14, 2019

@ijuma Yes, I saw PlaintextEndToEndAuthorizationTest .testNoConsumeWithoutDescribeAclViaSubscribe fail due to this. That is how I found the problem.

@hachikuji hachikuji merged commit 8dd4fb5 into apache:trunk Jun 14, 2019

1 of 2 checks passed

JDK 8 and Scala 2.11 FAILURE 11461 tests run, 67 skipped, 0 failed.
Details
JDK 11 and Scala 2.12 SUCCESS 11475 tests run, 67 skipped, 0 failed.
Details
@ijuma

This comment has been minimized.

Copy link
Contributor

commented Jun 14, 2019

Awesome!

Pengxiaolong added a commit to Pengxiaolong/kafka that referenced this pull request Jun 14, 2019
KAFKA-8530; Check for topic authorization errors in OffsetFetch respo…
…nse (apache#6928)

The OffsetFetch requires Topic Describe permission. If a client does not have this, we return TOPIC_AUTHORIZATION_FAILED at the partition level. Currently the consumer does not handle this error explicitly, but raises it as a generic `KafkaException`. For consistency with other APIs and to fix transient test failures in `PlaintextEndToEndAuthorizationTest`, we should raise `TopicAuthorizationFailedException` instead.

Reviewers: Ismael Juma <ismael@juma.me.uk>
jolshan added a commit to jolshan/kafka that referenced this pull request Jun 25, 2019
KAFKA-8530; Check for topic authorization errors in OffsetFetch respo…
…nse (apache#6928)

The OffsetFetch requires Topic Describe permission. If a client does not have this, we return TOPIC_AUTHORIZATION_FAILED at the partition level. Currently the consumer does not handle this error explicitly, but raises it as a generic `KafkaException`. For consistency with other APIs and to fix transient test failures in `PlaintextEndToEndAuthorizationTest`, we should raise `TopicAuthorizationFailedException` instead.

Reviewers: Ismael Juma <ismael@juma.me.uk>
rajinisivaram added a commit that referenced this pull request Jul 16, 2019
KAFKA-8530; Check for topic authorization errors in OffsetFetch respo…
…nse (#6928)

The OffsetFetch requires Topic Describe permission. If a client does not have this, we return TOPIC_AUTHORIZATION_FAILED at the partition level. Currently the consumer does not handle this error explicitly, but raises it as a generic `KafkaException`. For consistency with other APIs and to fix transient test failures in `PlaintextEndToEndAuthorizationTest`, we should raise `TopicAuthorizationFailedException` instead.

Reviewers: Ismael Juma <ismael@juma.me.uk>
ijuma added a commit to confluentinc/kafka that referenced this pull request Jul 16, 2019
KAFKA-8530; Check for topic authorization errors in OffsetFetch respo…
…nse (apache#6928)

The OffsetFetch requires Topic Describe permission. If a client does not have this, we return TOPIC_AUTHORIZATION_FAILED at the partition level. Currently the consumer does not handle this error explicitly, but raises it as a generic `KafkaException`. For consistency with other APIs and to fix transient test failures in `PlaintextEndToEndAuthorizationTest`, we should raise `TopicAuthorizationFailedException` instead.

Reviewers: Ismael Juma <ismael@juma.me.uk>
ijuma added a commit to confluentinc/kafka that referenced this pull request Jul 20, 2019
Merge remote-tracking branch 'apache-github/2.3' into ccs-2.3
* apache-github/2.3:
  MINOR: Update documentation for enabling optimizations (apache#7099)
  MINOR: Remove stale streams producer retry default docs. (apache#6844)
  KAFKA-8635; Skip client poll in Sender loop when no request is sent (apache#7085)
  KAFKA-8615: Change to track partition time breaks TimestampExtractor (apache#7054)
  KAFKA-8670; Fix exception for kafka-topics.sh --describe without --topic mentioned (apache#7094)
  KAFKA-8602: Separate PR for 2.3 branch (apache#7092)
  KAFKA-8530; Check for topic authorization errors in OffsetFetch response (apache#6928)
  KAFKA-8662; Fix producer metadata error handling and consumer manual assignment (apache#7086)
  KAFKA-8637: WriteBatch objects leak off-heap memory (apache#7050)
  KAFKA-8620: fix NPE due to race condition during shutdown while rebalancing (apache#7021)
  HOT FIX: close RocksDB objects in correct order (apache#7076)
  KAFKA-7157: Fix handling of nulls in TimestampConverter (apache#7070)
  KAFKA-6605: Fix NPE in Flatten when optional Struct is null (apache#5705)
  Fixes #8198 KStreams testing docs use non-existent method pipe (apache#6678)
  KAFKA-5998: fix checkpointableOffsets handling (apache#7030)
  KAFKA-8653; Default rebalance timeout to session timeout for JoinGroup v0 (apache#7072)
  KAFKA-8591; WorkerConfigTransformer NPE on connector configuration reloading (apache#6991)
  MINOR: add upgrade text (apache#7013)
  Bump version to 2.3.1-SNAPSHOT
xiowu0 added a commit to linkedin/kafka that referenced this pull request Aug 22, 2019
[LI-CHERRY-PICK] [426f4c7] KAFKA-8530; Check for topic authorization …
…errors in OffsetFetch response (apache#6928)

TICKET = KAFKA-8530
LI_DESCRIPTION =
EXIT_CRITERIA = HASH [426f4c7]
ORIGINAL_DESCRIPTION =

The OffsetFetch requires Topic Describe permission. If a client does not have this, we return TOPIC_AUTHORIZATION_FAILED at the partition level. Currently the consumer does not handle this error explicitly, but raises it as a generic `KafkaException`. For consistency with other APIs and to fix transient test failures in `PlaintextEndToEndAuthorizationTest`, we should raise `TopicAuthorizationFailedException` instead.

Reviewers: Ismael Juma <ismael@juma.me.uk>
(cherry picked from commit 426f4c7)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.