mirror of https://github.com/apache/kafka.git
36f19057e1
This patch filters out the topic describe unauthorized topics from the ConsumerGroupHeartbeat and ConsumerGroupDescribe response. In ConsumerGroupHeartbeat, - if the request has `subscribedTopicNames` set, we directly check the authz in `KafkaApis` and return a topic auth failure in the response if any of the topics is denied. - Otherwise, we check the authz only if a regex refresh is triggered and we do it based on the acl of the consumer that triggered the refresh. If any of the topic is denied, we filter it out from the resolved subscription. In ConsumerGroupDescribe, we check the authz of the coordinator response. If any of the topic in the group is denied, we remove the described info and add a topic auth failure to the described group. (similar to the group auth failure) Reviewers: David Jacot <djacot@confluent.io>, Lianet Magrans <lmagrans@confluent.io>, Rajini Sivaram <rajinisivaram@googlemail.com>, Chia-Ping Tsai <chia7712@gmail.com>, TaiJuWu <tjwu1217@gmail.com>, TengYao Chi <kitingiao@gmail.com> |
||
|---|---|---|
| .. | ||
| .scalafmt.conf | ||
| checkstyle.xml | ||
| import-control-coordinator-common.xml | ||
| import-control-core.xml | ||
| import-control-examples.xml | ||
| import-control-group-coordinator.xml | ||
| import-control-jmh-benchmarks.xml | ||
| import-control-metadata.xml | ||
| import-control-server-common.xml | ||
| import-control-server.xml | ||
| import-control-share-coordinator.xml | ||
| import-control-storage.xml | ||
| import-control-test-common-internal-api.xml | ||
| import-control-test-common-runtime.xml | ||
| import-control-test-common-util.xml | ||
| import-control-transaction-coordinator.xml | ||
| import-control.xml | ||
| java.header | ||
| suppressions.xml | ||