I am working on a replacement for the StandardAuthorizer and my implementation DENIED while the standard implementation ALLOWED. In reading the specs I thought it should be DENIED. But your statement makes it clear that I misread.
Thank you, Claude On Tue, Sep 3, 2024 at 1:14 PM Rajini Sivaram <rajinisiva...@gmail.com> wrote: > Hi Claude, > > `authorizeByResourceType` doesn't grant access to any specific topic, it > grants access to idempotent write if the user has access to write to any > topic (which may or may not exist). In this case, > ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true", so `User:alice` can > write to a topic that doesn't start with `foo` and hence > `authorizeByResourceType` should be ALLOWED. What was the behaviour you > observed? > > Regards, > > Rajini > > > On Tue, Sep 3, 2024 at 12:22 PM Claude Warren <cla...@xenei.com> wrote: > > > *Setup:* > > Superuser = "User:superman" > > > > ACLs added to system > > new StandardAcl(TOPIC, "foo", PREFIXED, "User:alice", WILDCARD, READ, > DENY) > > new StandardAcl(TOPIC, "foobar", LITERAL, "User:alice", WILDCARD, READ, > > ALLOW) > > new StandardAcl(TOPIC, "foo", PREFIXED, "User:bob", WILDCARD, READ, > ALLOW) > > > > ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true" > > > > AuthorizerContext requestContext = MockAuthorizableRequestContext with > > principal = User:alice > > host = InetAddress.getLocalHost() > > > > > > *Method Call:* > > > > authorizer.authorizeByResourceType(requestContext, READ, TOPIC) > > > > *Question:* > > > > Should the result be true because there is a LITERAL READ ALLOW on > "foobar" > > or should the result be false because there is an overriding PREFIXED > READ > > DENY on "foo" ? > > > > > > > > -- > > LinkedIn: http://www.linkedin.com/in/claudewarren > > >
