Followup: If ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true" then authorizeByResourceType should return true in all cases since the user would have access for any operation on any undefined topic?
On Tue, Sep 3, 2024 at 2:08 PM Claude Warren, Jr <claude.war...@aiven.io> wrote: > I am working on a replacement for the StandardAuthorizer and my > implementation DENIED while the standard implementation ALLOWED. In > reading the specs I thought it should be DENIED. But your statement makes > it clear that I misread. > > Thank you, > Claude > > On Tue, Sep 3, 2024 at 1:14 PM Rajini Sivaram <rajinisiva...@gmail.com> > wrote: > >> Hi Claude, >> >> `authorizeByResourceType` doesn't grant access to any specific topic, it >> grants access to idempotent write if the user has access to write to any >> topic (which may or may not exist). In this case, >> ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true", so `User:alice` can >> write to a topic that doesn't start with `foo` and hence >> `authorizeByResourceType` should be ALLOWED. What was the behaviour you >> observed? >> >> Regards, >> >> Rajini >> >> >> On Tue, Sep 3, 2024 at 12:22 PM Claude Warren <cla...@xenei.com> wrote: >> >> > *Setup:* >> > Superuser = "User:superman" >> > >> > ACLs added to system >> > new StandardAcl(TOPIC, "foo", PREFIXED, "User:alice", WILDCARD, READ, >> DENY) >> > new StandardAcl(TOPIC, "foobar", LITERAL, "User:alice", WILDCARD, READ, >> > ALLOW) >> > new StandardAcl(TOPIC, "foo", PREFIXED, "User:bob", WILDCARD, READ, >> ALLOW) >> > >> > ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true" >> > >> > AuthorizerContext requestContext = MockAuthorizableRequestContext with >> > principal = User:alice >> > host = InetAddress.getLocalHost() >> > >> > >> > *Method Call:* >> > >> > authorizer.authorizeByResourceType(requestContext, READ, TOPIC) >> > >> > *Question:* >> > >> > Should the result be true because there is a LITERAL READ ALLOW on >> "foobar" >> > or should the result be false because there is an overriding PREFIXED >> READ >> > DENY on "foo" ? >> > >> > >> > >> > -- >> > LinkedIn: http://www.linkedin.com/in/claudewarren >> > >> >
