kafka-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From maniku...@apache.org
Subject [kafka] branch trunk updated: KAFKA-7752: Add "/kafka-acl-extended" zk node path to secure root paths
Date Fri, 04 Jan 2019 10:46:14 GMT
This is an automated email from the ASF dual-hosted git repository.

manikumar pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/trunk by this push:
     new eb9ca17  KAFKA-7752: Add "/kafka-acl-extended" zk node path to secure root paths
eb9ca17 is described below

commit eb9ca17a7ed6602c363fe1f77f5b98f2915f2c31
Author: Attila Sasvari <asasvari@apache.org>
AuthorDate: Fri Jan 4 16:15:40 2019 +0530

    KAFKA-7752: Add "/kafka-acl-extended" zk node path to secure root paths
    
    - This commits sets ACL on /kafka-acl-extended
    - Extended ZkAuthorizationTest to check ACL on /kafka-acl-extended
    - Using zookeeper-security-migration.sh tool on a Kerberized test cluster, I verified
the changes: secured and unsecured Kafka znodes and examined ACL on /kafka-acl-extended with
zookeeper client
    
    Author: Attila Sasvari <asasvari@apache.org>
    
    Reviewers: Manikumar Reddy <manikumar.reddy@gmail.com>, Andras Katona <41361962+akatona84@users.noreply.github.com>
    
    Closes #6072 from asasvari/KAFKA-7752
---
 core/src/main/scala/kafka/zk/ZkData.scala                        | 9 +++++++--
 .../scala/unit/kafka/security/auth/ZkAuthorizationTest.scala     | 3 ++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/core/src/main/scala/kafka/zk/ZkData.scala b/core/src/main/scala/kafka/zk/ZkData.scala
index ed687cb..f8ad5ea 100644
--- a/core/src/main/scala/kafka/zk/ZkData.scala
+++ b/core/src/main/scala/kafka/zk/ZkData.scala
@@ -532,11 +532,15 @@ class ExtendedAclStore(val patternType: PatternType) extends ZkAclStore
{
   if (patternType == PatternType.LITERAL)
     throw new IllegalArgumentException("Literal pattern types are not supported")
 
-  val aclPath: String = s"/kafka-acl-extended/${patternType.name.toLowerCase}"
+  val aclPath: String = s"${ExtendedAclZNode.path}/${patternType.name.toLowerCase}"
 
   def changeStore: ZkAclChangeStore = ExtendedAclChangeStore
 }
 
+object ExtendedAclZNode {
+  def path = "/kafka-acl-extended"
+}
+
 trait AclChangeNotificationHandler {
   def processNotification(resource: Resource): Unit
 }
@@ -720,7 +724,8 @@ object ZkData {
     IsrChangeNotificationZNode.path,
     ProducerIdBlockZNode.path,
     LogDirEventNotificationZNode.path,
-    DelegationTokenAuthZNode.path) ++ ZkAclStore.securePaths
+    DelegationTokenAuthZNode.path,
+    ExtendedAclZNode.path) ++ ZkAclStore.securePaths
 
   // These are persistent ZK paths that should exist on kafka broker startup.
   val PersistentZkPaths = Seq(
diff --git a/core/src/test/scala/unit/kafka/security/auth/ZkAuthorizationTest.scala b/core/src/test/scala/unit/kafka/security/auth/ZkAuthorizationTest.scala
index de5ae22..cc84555 100644
--- a/core/src/test/scala/unit/kafka/security/auth/ZkAuthorizationTest.scala
+++ b/core/src/test/scala/unit/kafka/security/auth/ZkAuthorizationTest.scala
@@ -30,7 +30,6 @@ import org.junit.{After, Before, Test}
 
 import scala.util.{Failure, Success, Try}
 import javax.security.auth.login.Configuration
-
 import kafka.api.ApiVersion
 import kafka.cluster.{Broker, EndPoint}
 import org.apache.kafka.common.network.ListenerName
@@ -250,6 +249,8 @@ class ZkAuthorizationTest extends ZooKeeperTestHarness with Logging {
     // Check consumers path.
     val consumersAcl = firstZk.getAcl(ConsumerPathZNode.path)
     assertTrue(ConsumerPathZNode.path, isAclCorrect(consumersAcl, false, false))
+    assertTrue("/kafka-acl-extended", isAclCorrect(firstZk.getAcl("/kafka-acl-extended"),
secondZk.secure,
+      ZkData.sensitivePath(ExtendedAclZNode.path)))
   }
 
   /**


Mime
View raw message