KAFKA-18399 Remove ZooKeeper from KafkaApis (3/N): ALTER_CONFIG, INCREMENETAL_ALTER_CONFIG#18432
KAFKA-18399 Remove ZooKeeper from KafkaApis (3/N): ALTER_CONFIG, INCREMENETAL_ALTER_CONFIG#18432chia7712 merged 13 commits intoapache:trunkfrom
Conversation
| } | ||
|
|
||
| @Test | ||
| def testAlterConfigsWithAuthorizer(): Unit = { |
There was a problem hiding this comment.
For my understanding, this is a ZK-only test because authorisation should no longer happen on a broker because the requests are forwarded to the KRaft controller where authorisation ought to happen?
There was a problem hiding this comment.
yes, we don't don any authorization on Kraft mode.
There was a problem hiding this comment.
You still need to do some level of authorization before forwarding, right?
There was a problem hiding this comment.
You still need to do some level of authorization before forwarding
You are absolutely correct. The log4j operation is not forwarded to the controller because it is used to configure "this" specific broker. Therefore, authorization for this operation must be performed within this broker.
Please ensure that the related unit tests are maintained.
There was a problem hiding this comment.
Thanks for the quick response! I understand where you are coming from with respect to the particular operation we are authorizing, what I do not understand is why are we removing the double authorisation (once on the broker and once on the controller)? I also believe this is what Ismael meant as well here #18432 (comment)
There was a problem hiding this comment.
Oh, I got your point but this should be another issue and we can make it as follow ups.
We should not block it here since this ticket is for 4.0 and we are closer deadline and it more like an optimization.
This is a mistake see #18432 (comment)
There was a problem hiding this comment.
By the way, here is a related response #18432 (comment) for #18432 (comment) and I believe it is an accident.
The question should be we should authorize for IncrementalAlterConfig instead of AlterConfig
There was a problem hiding this comment.
but this should be another issue and we can make it as follow ups.
Pardon me, what is "another issue"? There is no extra authorisation for AlterConfigsRequest as it does not support to change logger. It seems to me the follow-up for this unit test is to add checks for configManager.preprocess
There was a problem hiding this comment.
but this should be another issue and we can make it as follow ups.
Pardon me, what is "another issue"? There is no extra authorisation for
AlterConfigsRequestas it does not support to change logger. It seems to me the follow-up for this unit test is to add checks forconfigManager.preprocess
Oh, sorry. I think this again.
All alterConfig (no matter incremental or not ) should forward to controller directly so there is no follow up.
Previous image (from mine), we can do some authorize locally but no matter what we always need to send to controller.
There is no optimism space.
TaiJuWu
changed the title
TaiJuWu
changed the title
| response => sendResponse(response.map(_.data()))) | ||
| } else { | ||
| sendResponse(Some(processLegacyAlterConfigsRequest(request, remaining))) | ||
| throw KafkaApis.shouldAlwaysForward(request) |
There was a problem hiding this comment.
How could this happen in kraft mode? Do we need to change some code to make it impossible or is it already impossible? I'd rather do this in a generic way versus having each handler having to handle it.
There was a problem hiding this comment.
metadataSupport.canForward() is always true in kraft and request does not have envelope in kraft broker. Hence, it would be better to simplify the code by removing the unnecessary path. for example:
if (remaining.resources().isEmpty) {
sendResponse(Some(new AlterConfigsResponseData()))
} else {
metadataSupport.forwardingManager.get.forwardRequest(request,
new AlterConfigsRequest(remaining, request.header.apiVersion()),
response => sendResponse(response.map(_.data())))
}BTW, I file https://issues.apache.org/jira/browse/KAFKA-18472 to cleanup metadataSupport
clolov
left a comment
clolov
left a comment
There was a problem hiding this comment.
Did a first pass and left a couple of small questions for my understanding
| } | ||
|
|
||
| @Test | ||
| def testAlterConfigsWithAuthorizer(): Unit = { |
There was a problem hiding this comment.
For my understanding, this is a ZK-only test because authorisation should no longer happen on a broker because the requests are forwarded to the KRaft controller where authorisation ought to happen?
| def handleIncrementalAlterConfigsRequest(request: RequestChannel.Request): Unit = { | ||
| val original = request.body[IncrementalAlterConfigsRequest] | ||
| val preprocessingResponses = configManager.preprocess(original.data(), | ||
| (rType, rName) => authHelper.authorize(request.context, ALTER_CONFIGS, rType, rName)) |
There was a problem hiding this comment.
For my understanding (and here I am working under the assumption that these requests ought to be authorised on the KRaft controller now), should this be removed as well?
There was a problem hiding this comment.
when we set broker config (only for LOG4J), we also need to do authorization locally so we need to keep this one.
| } | ||
|
|
||
| @Test | ||
| def testAlterConfigsWithAuthorizer(): Unit = { |
There was a problem hiding this comment.
You still need to do some level of authorization before forwarding
You are absolutely correct. The log4j operation is not forwarded to the controller because it is used to configure "this" specific broker. Therefore, authorization for this operation must be performed within this broker.
Please ensure that the related unit tests are maintained.
| val forwardCallback: ArgumentCaptor[Option[AbstractResponse] => Unit] = ArgumentCaptor.forClass(classOf[Option[AbstractResponse] => Unit]) | ||
| val newBody: ArgumentCaptor[AbstractRequest] = ArgumentCaptor.forClass(classOf[AbstractRequest]) | ||
|
|
||
| verify(forwardingManager).forwardRequest( |
There was a problem hiding this comment.
all we want to verify is the method forwardRequest gets executed only once, right? the following assert is unnecessary as they never be null.
| val requestHeader = new RequestHeader(ApiKeys.ALTER_CONFIGS, ApiKeys.ALTER_CONFIGS.latestVersion, clientId, 0) | ||
| val request = buildRequest( | ||
| new AlterConfigsRequest.Builder(configs.asJava, false).build(requestHeader.apiVersion)) | ||
| val apiRequest = new AlterConfigsRequest.Builder(configs.asJava, false).build(requestHeader.apiVersion) |
There was a problem hiding this comment.
in this testAlterConfigsClientMetrics, we don't need the authorizer. Hence, could you please remove the unused variable?
There was a problem hiding this comment.
Done. Thanks for review!
|
the failed tests are in clients module, so I think they are unrelated to this PR |
…INCREMENETAL_ALTER_CONFIG (#18432) Reviewers: Christo Lolov <lolovc@amazon.com>, Ismael Juma <ismael@juma.me.uk>, Chia-Ping Tsai <chia7712@gmail.com>
…INCREMENETAL_ALTER_CONFIG (apache#18432) Reviewers: Christo Lolov <lolovc@amazon.com>, Ismael Juma <ismael@juma.me.uk>, Chia-Ping Tsai <chia7712@gmail.com>
…INCREMENETAL_ALTER_CONFIG (apache#18432) Reviewers: Christo Lolov <lolovc@amazon.com>, Ismael Juma <ismael@juma.me.uk>, Chia-Ping Tsai <chia7712@gmail.com>
…INCREMENETAL_ALTER_CONFIG (apache#18432) Reviewers: Christo Lolov <lolovc@amazon.com>, Ismael Juma <ismael@juma.me.uk>, Chia-Ping Tsai <chia7712@gmail.com>
4 participants
*More detailed description of your change,
Committer Checklist (excluded from commit message)