[
https://issues.apache.org/jira/browse/KAFKA-7702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16708478#comment-16708478
]
ASF GitHub Bot commented on KAFKA-7702:
---------------------------------------
rajinisivaram closed pull request #5994: KAFKA-7702: Fix matching of prefixed
ACLs to match single char prefix
URL: https://github.com/apache/kafka/pull/5994
This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:
As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):
diff --git a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
index 892377cfe92..8a0b4a072e4 100644
--- a/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
+++ b/core/src/main/scala/kafka/security/auth/SimpleAclAuthorizer.scala
@@ -239,10 +239,9 @@ class SimpleAclAuthorizer extends Authorizer with Logging {
.map(_.acls)
.getOrElse(Set.empty[Acl])
- val prefixed = aclCache.range(
- Resource(resourceType, resourceName, PatternType.PREFIXED),
- Resource(resourceType, resourceName.take(1), PatternType.PREFIXED)
- )
+ val prefixed = aclCache
+ .from(Resource(resourceType, resourceName, PatternType.PREFIXED))
+ .to(Resource(resourceType, resourceName.take(1), PatternType.PREFIXED))
.filterKeys(resource => resourceName.startsWith(resource.name))
.flatMap { case (resource, versionedAcls) => versionedAcls.acls }
.toSet
diff --git
a/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
b/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
index 5461413871b..1468003f3f0 100644
--- a/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
+++ b/core/src/test/scala/unit/kafka/security/auth/SimpleAclAuthorizerTest.scala
@@ -629,6 +629,18 @@ class SimpleAclAuthorizerTest extends ZooKeeperTestHarness
{
assertTrue(simpleAclAuthorizer.authorize(session, Read, resource))
}
+ @Test
+ def testSingleCharacterResourceAcls(): Unit = {
+ simpleAclAuthorizer.addAcls(Set[Acl](allowReadAcl), Resource(Topic, "f",
LITERAL))
+ assertTrue(simpleAclAuthorizer.authorize(session, Read, Resource(Topic,
"f", LITERAL)))
+ assertFalse(simpleAclAuthorizer.authorize(session, Read, Resource(Topic,
"foo", LITERAL)))
+
+ simpleAclAuthorizer.addAcls(Set[Acl](allowReadAcl), Resource(Topic, "_",
PREFIXED))
+ assertTrue(simpleAclAuthorizer.authorize(session, Read, Resource(Topic,
"_foo", LITERAL)))
+ assertTrue(simpleAclAuthorizer.authorize(session, Read, Resource(Topic,
"_", LITERAL)))
+ assertFalse(simpleAclAuthorizer.authorize(session, Read, Resource(Topic,
"foo_", LITERAL)))
+ }
+
@Test
def testGetAclsPrincipal(): Unit = {
val aclOnSpecificPrincipal = new Acl(principal, Allow, WildCardHost, Write)
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Prefixed ACLs don't work with single character prefix
> -----------------------------------------------------
>
> Key: KAFKA-7702
> URL: https://issues.apache.org/jira/browse/KAFKA-7702
> Project: Kafka
> Issue Type: Bug
> Components: security
> Affects Versions: 2.0.1, 2.1.0
> Reporter: Rajini Sivaram
> Assignee: Rajini Sivaram
> Priority: Major
> Fix For: 2.2.0, 2.1.1, 2.0.2
>
>
> Prefixed ACLs with a single character are not matched correctly against
> resource names. ALLOW rule with single character prefix doesn't grant access
> to any resource and DENY rule with single character prefix doesn't deny
> access to any resource since the prefix is not matched correctly.
> This is not an exploitable security vulnerability since only authenticated
> users with authorization to create ACLs can create the prefixed ACLs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
