Re: [PR] KAFKA-18813: [1/N] ConsumerGroupHeartbeat API and ConsumerGroupDescribe API must check topic describe [kafka]

Fri, 21 Feb 2025 12:22:23 -0800 


dajac commented on code in PR #18989:
URL: https://github.com/apache/kafka/pull/18989#discussion_r1966115642


##########
group-coordinator/src/main/java/org/apache/kafka/coordinator/group/GroupMetadataManager.java:
##########
@@ -2698,6 +2741,60 @@ private CoordinatorResult<Void, CoordinatorRecord> 
handleRegularExpressionsResul
         return new CoordinatorResult<>(records);
     }
 
+    /**
+     * This method filters the topics in the resolvedRegularExpressions
+     * that the member is authorized to describe.
+     *
+     * @param context                               The request context.
+     * @param resolvedRegularExpressions            The list of topic names to 
validate.
+     * @return The set of topics that the member is not authorized to describe.
+     */
+    private Set<String> filterTopicDescribeAuthorizedTopics(
+        RequestContext context,
+        Map<String, ResolvedRegularExpression> resolvedRegularExpressions
+    ) {
+        if (authorizer.isPresent()) {
+            Map<String, Integer> topicNameCount = new HashMap<>();
+            
resolvedRegularExpressions.values().forEach(resolvedRegularExpression ->
+                resolvedRegularExpression.topics.forEach(topicName ->
+                    topicNameCount.compute(topicName, Utils::incValue)
+                )
+            );
+
+            List<Action> actions = 
topicNameCount.entrySet().stream().map(entry -> {
+                ResourcePattern resource = new ResourcePattern(TOPIC, 
entry.getKey(), LITERAL);
+                return new Action(DESCRIBE, resource, entry.getValue(), true, 
true);
+            }).collect(Collectors.toList());
+
+            List<AuthorizationResult> authorizationResults = 
authorizer.get().authorize(context, actions);
+            Set<String> deniedTopics = new HashSet<>();
+            IntStream.range(0, actions.size()).forEach(i -> {
+                if (authorizationResults.get(i) == AuthorizationResult.DENIED) 
{
+                    String deniedTopic = 
actions.get(i).resourcePattern().name();
+                    deniedTopics.add(deniedTopic);
+                }
+            });
+
+            resolvedRegularExpressions.forEach((regex, 
resolvedRegularExpression) -> {
+                if 
(resolvedRegularExpression.topics.stream().anyMatch(deniedTopics::contains)) {

Review Comment:
   This line may not be necessary.  We could directly filter the list and avoid 
iterating it many times.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to