Re: [PR] KAFKA-18813: [1/N] ConsumerGroupHeartbeat API and ConsumerGroupDescribe API must check topic describe [kafka]

Mon, 24 Feb 2025 11:42:12 -0800 


lianetm commented on code in PR #18989:
URL: https://github.com/apache/kafka/pull/18989#discussion_r1968317091


##########
core/src/main/scala/kafka/server/KafkaApis.scala:
##########
@@ -2529,9 +2529,24 @@ class KafkaApis(val requestChannel: RequestChannel,
       requestHelper.sendMaybeThrottle(request, 
consumerGroupHeartbeatRequest.getErrorResponse(Errors.GROUP_AUTHORIZATION_FAILED.exception))
       CompletableFuture.completedFuture[Unit](())
     } else {
+      if (consumerGroupHeartbeatRequest.data.subscribedTopicNames != null &&
+        !consumerGroupHeartbeatRequest.data.subscribedTopicNames.isEmpty) {
+        // Check the authorization if the subscribed topic names are provided.
+        // Clients are not allowed to see topics that are not authorized for 
Describe.
+        val authorizedTopics = authHelper.filterByAuthorized(request.context, 
DESCRIBE, TOPIC,
+          
consumerGroupHeartbeatRequest.data.subscribedTopicNames.asScala)(identity)
+        if (authorizedTopics.size < 
consumerGroupHeartbeatRequest.data.subscribedTopicNames.size) {
+          val responseData = new ConsumerGroupHeartbeatResponseData()
+            .setErrorCode(Errors.TOPIC_AUTHORIZATION_FAILED.code)
+            .setErrorMessage("The client is not authorized to describe the 
provided subscribed topics.")

Review Comment:
   in this case we had a request with a list of topics, and we're already 
sending a response with errorCode TOPIC_AUTH_FAILED, so I wonder if adding this 
message is bringing much value? 
   
   Also, it's not consistent with how other APIs handle the same situation. Ex. 
on the metadata path, we get a request with topic list and if auth fails the 
response will only include the error code, no custom message. This 
inconsistency is relevant because it will translate into the consumer btw 
(whatever topic auth message we get from metadata or HB will bubble up to the 
consumer.poll). We can always make it consistent on the client side of course, 
but seems to me that making it consistent here makes more sense given that the 
message seems redundant. Thoughts?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to