Hi Claude, `authorizeByResourceType` doesn't grant access to any specific topic, it grants access to idempotent write if the user has access to write to any topic (which may or may not exist). In this case, ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true", so `User:alice` can write to a topic that doesn't start with `foo` and hence `authorizeByResourceType` should be ALLOWED. What was the behaviour you observed?
Regards, Rajini On Tue, Sep 3, 2024 at 12:22 PM Claude Warren <cla...@xenei.com> wrote: > *Setup:* > Superuser = "User:superman" > > ACLs added to system > new StandardAcl(TOPIC, "foo", PREFIXED, "User:alice", WILDCARD, READ, DENY) > new StandardAcl(TOPIC, "foobar", LITERAL, "User:alice", WILDCARD, READ, > ALLOW) > new StandardAcl(TOPIC, "foo", PREFIXED, "User:bob", WILDCARD, READ, ALLOW) > > ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true" > > AuthorizerContext requestContext = MockAuthorizableRequestContext with > principal = User:alice > host = InetAddress.getLocalHost() > > > *Method Call:* > > authorizer.authorizeByResourceType(requestContext, READ, TOPIC) > > *Question:* > > Should the result be true because there is a LITERAL READ ALLOW on "foobar" > or should the result be false because there is an overriding PREFIXED READ > DENY on "foo" ? > > > > -- > LinkedIn: http://www.linkedin.com/in/claudewarren >
