KAFKA-9386; Apply delete ACL filters to resources from filter even if not in cache

[rajinisivaram]

With the old SimpleAclAuthorizer, we were handling delete filters that matched a single resource by looking up that resource directly, even if it wasn't in the cache. AclAuthorizerTest.testHighConcurrencyDeletionOfResourceAcls relies on this behaviour and fails intermittently when the cache is not up-to-date. This PR includes the resource from non-matching filters even if it is not in the cache to retain the old behaviour.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[rajinisivaram]

retest this please

[omkreddy]

@rajinisivaram Thanks for the PR. LGTM.

[ijuma]

@rajinisivaram We look for the resource directly by querying ZK?

[rajinisivaram]

@ijuma When deleting ACLs, we always use the latest ACLs from ZK since the updates use the version. But in order to look up those ACLs, we need to know which resources to look up. For ACL filters that specify a resource pattern (e.g testTopicA or prefixed topic test), we can directly look up that resource to ensure that we get the latest value in ZK. And we were doing that in SimpleAclAuthorizer. For ACL filters that match multiple resources, we match against the resources in aclCache since we dont want to look up all resources in ZK to perform the match. This PR does the same for AclAuthorizer.

If you do Admin.createAcls() followed by Admin.deleteAcls(), if you specify the ACL in both cases, you are guaranteed to delete the ACL regardless of which broker handles the request. If you use a matching filter that doesn't specify the resource pattern for deleteAcls, then we don't provide that guarantee. If we did want to provide that guarantee, we would need to read all resources from ZK for this case.

[ijuma]

Thanks for the explanation. Two comments:

1. Have we documented this anywhere? It's a bit subtle, so it would be good to do so, if we have not.
2. Could we write a deterministic test for this behavior (maybe using mocks) so that we don't regress? It can be done as a separate PR.

[rajinisivaram]

@ijuma Opened https://issues.apache.org/jira/browse/KAFKA-9392 to document the limitation and add a deterministic test.

[ijuma]

Thanks. We should also check that we can continue to offer this guarantee after KIP-500.

[ijuma]

Another thing to consider for a separate PR: this method seems highly inefficient. We take all the keys in the cache and do a bunch of transformations. It seems like we should avoid that, no? Intuitively, we would do a filter operation first and then transform only the cache items that match.

[rajinisivaram]

I will do https://issues.apache.org/jira/browse/KAFKA-8847 first to remove references to the old classes and deprecate those. And that would avoid a lot of the unnecessary conversions. I can see if more can be done to improve this in the same PR.

[ijuma]

Sounds good.

[rajinisivaram]

@ijuma I guess we don't know yet the exact format in which ACLs will be stored for KIP-500. But I think this guarantee is similar to supporting concurrent updates which we need to do anyway. A deterministic test will at least ensure we will notice if it doesn't work.

[rajinisivaram]

@omkreddy @ijuma Thanks for the reviews, merging to trunk. Will address remaining comments under KAFKA-9392 and KAFKA-8847.