Skip to content

feat(authorization): support authorization of group new consumer protocol group#3448

Merged
robobario merged 5 commits intokroxylicious:mainfrom
robobario:authz-new-consumer-protocol-group
Mar 23, 2026
Merged

feat(authorization): support authorization of group new consumer protocol group#3448
robobario merged 5 commits intokroxylicious:mainfrom
robobario:authz-new-consumer-protocol-group

Conversation

@robobario
Copy link
Copy Markdown
Member

@robobario robobario commented Mar 11, 2026
edited
Loading

Type of change

  • Enhancement / new feature

Description

  • calculate group authorizedOps on ConsumerGroupDescribe
  • require Group DESCRIBE for ConsumerGroupDescribe
  • require Group READ for ConsumerGroupHeartbeat

Closes #3442

Note: builds on top of #3476

Checklist

Please go through this checklist and make sure all applicable tasks have been done

  • PR raised from a fork of this repository and made from a branch rather than main.
  • Write tests
  • Update documentation
  • Make sure all unit/integration tests pass
  • Make sure all Sonarcloud warnings are addressed or are justifiably ignored.
  • If applicable to the change, make sure system tests pass.
  • If applicable to the change, trigger the performance test suite. Ensure that any degradations to performance numbers are understood and justified.
  • Ensure the PR references relevant issue(s) so they are closed on merging.
  • For user facing changes, update CHANGELOG.md (remember to include changes affecting the API of the test artefacts too).

NOTE: You must be a member of @kroxylicious/developers to trigger the system test and performance test suites. If you are not part of this group, comment on the PR requesting a trigger, tagging @kroxylicious/developers.

@robobario robobario requested a review from a team as a code owner March 11, 2026 04:22
@robobario
Copy link
Copy Markdown
Member Author

robobario commented Mar 11, 2026

Keith suggested in call rather than rejecting the regex when non-null, we could cap the RPC version to v0 and reject v1. This is a better solution in the interrim.

@robobario robobario force-pushed the authz-new-consumer-protocol-group branch 2 times, most recently from 90c5743 to 58d3349 Compare March 12, 2026 02:26
@robobario
Copy link
Copy Markdown
Member Author

robobario commented Mar 12, 2026

pushed up capping the ConsumerGroupHeartbeat to v0 rather than blowing up on the subscription regex.

I also added:

  • Tracing ITs for the new consumer group protocol
  • A Tracing Prog covering regex topic subscription, checking that Alice can subscribe to .* and only get records from the topic she is authorized to interact with (checking classic and new protocols).

@robobario robobario force-pushed the authz-new-consumer-protocol-group branch 2 times, most recently from 56cc36d to 873aeea Compare March 16, 2026 01:05
@robobario
Copy link
Copy Markdown
Member Author

robobario commented Mar 16, 2026
edited
Loading

I'll split out the bugfix into a separate PR to make this smaller

edit: #3476 created, I'll rebase onto that

@robobario robobario force-pushed the authz-new-consumer-protocol-group branch 4 times, most recently from a85bbf1 to 57d8c53 Compare March 20, 2026 02:37
@robobario robobario added this to the 0.20.0 milestone Mar 22, 2026
tombentley
tombentley approved these changes Mar 22, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@tombentley tombentley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @robobario

@robobario
feat(authorization): require Group READ for ConsumerGroupHeartbeat
ef27e2e 
Signed-off-by: Robert Young <robertyoungnz@gmail.com>
@robobario
feat(authorization): require Group DESCRIBE for ConsumerGroupDescribe
b97326a 
Signed-off-by: Robert Young <robertyoungnz@gmail.com>
@robobario
feat(authorization): calculate group authorizedOps on ConsumerGroupDe…
a562df5 
…scribe

When presenting the authorizedOps int (bitset for the group authorized
ops), we want to present the most restrictive authorizedOps we can,
taking into account the upstream authorizedOps and the authorizer
allowed operations.

Signed-off-by: Robert Young <robertyoungnz@gmail.com>
@robobario
Add group authz tracing tests for new consumer group protocol
b31889f 
Signed-off-by: Robert Young <robertyoungnz@gmail.com>
@robobario robobario force-pushed the authz-new-consumer-protocol-group branch from 57d8c53 to b31889f Compare March 23, 2026 00:26
@robobario
Add Changelog
5208bb7 
Signed-off-by: Robert Young <robertyoungnz@gmail.com>
@robobario robobario enabled auto-merge (rebase) March 23, 2026 00:28
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 23, 2026

Quality Gate Passed Quality Gate passed for 'Proxy Runtime'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
94.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 23, 2026

Quality Gate Passed Quality Gate passed for 'Kroxylicious Operator'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@robobario robobario merged commit abde68a into kroxylicious:main Mar 23, 2026
41 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tombentley tombentley tombentley approved these changes

Assignees

No one assigned

Labels

filter/authorization

Projects

Kroxylicious
Status: Done

Milestone

0.20.0

Development

Successfully merging this pull request may close these issues.

Extend authorization Filter to authorize groups in New Consumer Rebalance protocol

2 participants

@robobario @tombentley