Followup2: your answer speaks directly to "WRITE" access. My example was READ access. So the question method is answering then is: Does the user have access to READ any TOPIC? And that is further restricted by the requestContext host is it not?
On Tue, Sep 3, 2024 at 2:10 PM Claude Warren, Jr <claude.war...@aiven.io> wrote: > Followup: If ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true" then > authorizeByResourceType should return true in all cases since the user > would have access for any operation on any undefined topic? > > > On Tue, Sep 3, 2024 at 2:08 PM Claude Warren, Jr <claude.war...@aiven.io> > wrote: > >> I am working on a replacement for the StandardAuthorizer and my >> implementation DENIED while the standard implementation ALLOWED. In >> reading the specs I thought it should be DENIED. But your statement makes >> it clear that I misread. >> >> Thank you, >> Claude >> >> On Tue, Sep 3, 2024 at 1:14 PM Rajini Sivaram <rajinisiva...@gmail.com> >> wrote: >> >>> Hi Claude, >>> >>> `authorizeByResourceType` doesn't grant access to any specific topic, it >>> grants access to idempotent write if the user has access to write to any >>> topic (which may or may not exist). In this case, >>> ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true", so `User:alice` can >>> write to a topic that doesn't start with `foo` and hence >>> `authorizeByResourceType` should be ALLOWED. What was the behaviour you >>> observed? >>> >>> Regards, >>> >>> Rajini >>> >>> >>> On Tue, Sep 3, 2024 at 12:22 PM Claude Warren <cla...@xenei.com> wrote: >>> >>> > *Setup:* >>> > Superuser = "User:superman" >>> > >>> > ACLs added to system >>> > new StandardAcl(TOPIC, "foo", PREFIXED, "User:alice", WILDCARD, READ, >>> DENY) >>> > new StandardAcl(TOPIC, "foobar", LITERAL, "User:alice", WILDCARD, READ, >>> > ALLOW) >>> > new StandardAcl(TOPIC, "foo", PREFIXED, "User:bob", WILDCARD, READ, >>> ALLOW) >>> > >>> > ALLOW_EVERYONE_IF_NO_ACL_IS_FOUND_CONFIG = "true" >>> > >>> > AuthorizerContext requestContext = MockAuthorizableRequestContext with >>> > principal = User:alice >>> > host = InetAddress.getLocalHost() >>> > >>> > >>> > *Method Call:* >>> > >>> > authorizer.authorizeByResourceType(requestContext, READ, TOPIC) >>> > >>> > *Question:* >>> > >>> > Should the result be true because there is a LITERAL READ ALLOW on >>> "foobar" >>> > or should the result be false because there is an overriding PREFIXED >>> READ >>> > DENY on "foo" ? >>> > >>> > >>> > >>> > -- >>> > LinkedIn: http://www.linkedin.com/in/claudewarren >>> > >>> >>
