[PR] KAFKA-18813: ConsumerGroupHeartbeat API and ConsumerGroupDescribe API… [kafka]

Wed, 26 Feb 2025 10:51:24 -0800 


dongnuo123 opened a new pull request, #19042:
URL: https://github.com/apache/kafka/pull/19042

   … must check topic describe (#18989)
   
   This patch filters out the topic describe unauthorized topics from the 
ConsumerGroupHeartbeat and ConsumerGroupDescribe response.
   
   In ConsumerGroupHeartbeat,
   - if the request has `subscribedTopicNames` set, we directly check the authz 
in `KafkaApis` and return a topic auth failure in the response if any of the 
topics is denied.
   - Otherwise, we check the authz only if a regex refresh is triggered and we 
do it based on the acl of the consumer that triggered the refresh. If any of 
the topic is denied, we filter it out from the resolved subscription.
   
   In ConsumerGroupDescribe, we check the authz of the coordinator response. If 
any of the topic in the group is denied, we remove the described info and add a 
topic auth failure to the described group. (similar to the group auth failure)
   
   Reviewers: David Jacot <dja...@confluent.io>, Lianet Magrans 
<lmagr...@confluent.io>, Rajini Sivaram <rajinisiva...@googlemail.com>, 
Chia-Ping Tsai <chia7...@gmail.com>, TaiJuWu <tjwu1...@gmail.com>, TengYao Chi 
<kiting...@gmail.com>
   
   (cherry picked from commit 36f19057e1d57a8548a4548c304799fd176c359f)
   
   Delete this text and replace it with a detailed description of your change. 
The 
   PR title and body will become the squashed commit message.
   
   If you would like to tag individuals, add some commentary, upload images, or
   include other supplemental information that should not be part of the 
eventual
   commit message, please use a separate comment.
   
   If applicable, please include a summary of the testing strategy (including 
   rationale) for the proposed change. Unit and/or integration tests are 
expected
   for any behavior change and system tests should be considered for larger
   changes.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: jira-unsubscr...@kafka.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to