lianetm commented on code in PR #18989:
URL: https://github.com/apache/kafka/pull/18989#discussion_r1971805902
##########
core/src/main/scala/kafka/server/KafkaApis.scala:
##########
@@ -2592,6 +2608,38 @@ class KafkaApis(val requestChannel: RequestChannel,
response.groups.addAll(results)
}
+ // Clients are not allowed to see topics that are not authorized for
Describe.
+ val topicsToCheck = authorizer match {
+ case Some(_) =>
+ response.groups.stream()
+ .flatMap(group => group.members.stream)
+ .flatMap(member => util.stream.Stream.of(member.assignment,
member.targetAssignment))
+ .flatMap(assignment => assignment.topicPartitions.stream)
+ .map(topicPartition => topicPartition.topicName)
+ .collect(Collectors.toSet[String])
+ .asScala
+ case None => Set.empty[String]
+ }
+ val authorizedTopics =
authHelper.filterByAuthorized(request.context, DESCRIBE, TOPIC,
+ topicsToCheck)(identity)
+ val updatedGroups = response.groups.stream().map { group =>
Review Comment:
this is also only needed if there is an authorizer right? Moreover, having
like this, if there is no authorizer, don't we end up now with empty
`authorizedTopics`, iterate here and end up with hasUnauthorizedTopic=true?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
