KAFKA-19234: broker should return UNAUTHORIZATION error for non-existing topic in produce request

[FrankYang0529]

Since topic name is sensitive information, it should return a
TOPIC_AUTHORIZATION_FAILED error for non-existing topic. The Fetch
request also follows this pattern.

Co-authored-by: John Doe [email protected]

[m1a2st]

Thank @FrankYang0529 for this patch, some little comments

[TaiJuWu]

LGTM.

[chia7712]

  @Test
  def testAuthorizationWithTopicNotExistingForProduceRequestVersionLessThan13(): Unit = {
    sendRequests(mutable.Map(ApiKeys.CREATE_TOPICS -> createTopicsRequest))
    def createTpd(version: Int) =
      if (version <= 12) new ProduceRequestData.TopicProduceData()
        .setName(tp.topic())
      else new ProduceRequestData.TopicProduceData()
        .setTopicId(getTopicIds()(tp.topic()))
    for (version <- ApiKeys.PRODUCE.oldestVersion to ApiKeys.PRODUCE.latestVersion) {
      val request = requests.ProduceRequest.builder(new ProduceRequestData()
          .setTopicData(new ProduceRequestData.TopicProduceDataCollection(
            util.List.of(createTpd(version)
                .setPartitionData(util.List.of(
                  new ProduceRequestData.PartitionProduceData()
                    .setIndex(tp.partition)
                    .setRecords(MemoryRecords.withRecords(Compression.NONE, new SimpleRecord("test".getBytes))))))
              .iterator))
          .setAcks(1.toShort)
          .setTimeoutMs(5000))
        .build(version.toShort)
      val data = connectAndReceive[AbstractResponse](request, listenerName = listenerName).asInstanceOf[ProduceResponse].data().responses()
      assertEquals(1, data.size())
      val response = if (version <= 12) data.find(tp.topic(), Uuid.ZERO_UUID)
      else data.find("", getTopicIds()(tp.topic()))
      assertEquals(Errors.TOPIC_AUTHORIZATION_FAILED.code(),
        response.partitionResponses().asScala.find(_.index == part).get.errorCode, s"unexpected error for produce request version $version")
    }
  }

we need to test version 13, but it should use topic id instead of topic name.

[FrankYang0529]

Hi @chia7712, the version 13 is covered by testAuthorizationWithTopicNotExisting. This PR focuses on old versions behavior.

[chia7712]

Could you please add comments for the version=13. Additionally, there is a typo: Reqeust

[junrao]

@FrankYang0529 : Thanks for the PR. Left a comment.

[junrao]

This topic exists on the broker, right?

[chia7712]

We expect to return TOPIC_AUTHORIZATION_FAILED (if it failed to authorize) regardless of topic existence if the request is using topic name. Maybe we should test both cases - 1) topic exists and 2) topic does not exist (similar to testAuthorizationFetchV12WithTopicNotExisting)

[junrao]

We could. I am just pointing out this doesn't match the test name, which says WithTopicNotExisting.

[FrankYang0529]

Hi @junrao, This case follows testAuthorizationWithTopicNotExisting. In AuthorizerIntegrationTest, if a case needs a existing topic like case testAuthorizationWithTopicExisting, it needs to call sendRequests(mutable.Map(ApiKeys.CREATE_TOPICS -> createTopicsRequest)).

[chia7712]

@FrankYang0529 could you please add the test case for the existent topic? Additionally, it would be useful to add case of existent topic for fetch RPC too.

[junrao]

This is another subtle existing issue. If a produce request before v13 has an empty topic name, we used to return UNKNOWN_TOPIC_OR_PARTITION. Now, we return UNKNOWN_TOPIC_ID. It's probably better to change the condition to if (topicName.isEmpty && topic.topicId().equals(Uuid.ZERO_UUID)).

[chia7712]

It's probably better to change the condition to if (topicName.isEmpty && topic.topicId().equals(Uuid.ZERO_UUID)).

The default value of topic.topicId() is Uuid.ZERO_UUID, and hence if (topicName.isEmpty && topic.topicId().equals(Uuid.ZERO_UUID))is always true if request is before v13. Maybe we can try another condition:if (topicName.isEmpty && version > 12`?

[junrao]

Sorry, I meant if (topicName.isEmpty && !topic.topicId().equals(Uuid.ZERO_UUID)).

[junrao]

We could. I am just pointing out this doesn't match the test name, which says WithTopicNotExisting.

[frankvicky]

Overall, LGTM assuming the remaining comments are addressed.

[FrankYang0529]

@junrao @chia7712 Thanks for review. I addressed all comments. Could you take a look when you have time? Thanks.

[junrao]

@FrankYang0529 : Thanks for the updated PR. A couple of more comments.

[junrao]

Could this be private?

[junrao]

Should we use createTopicWithBrokerPrincipal()? This will wait until the topic metadata is propagated to all brokers. Ditto for authorizationFetchV12.

[Yunyung]

Follow junrao, it would be good to follow testTopicIdAuthorization method?

• Use @ParameterizedTest and rename the parameter to withTopicExisting for consistent code style in this file.
• Use createTopicWithBrokerPrincipal.

  @ParameterizedTest
  @CsvSource(value = Array("false", "true"))
  def testTopicIdAuthorization(withTopicExisting: Boolean): Unit = {
    val topicId = if (withTopicExisting) {
      createTopicWithBrokerPrincipal(topic)
      getTopicIds()(topic)
    } else {
      Uuid.randomUuid()
    }

[FrankYang0529]

Thanks, I changed to use ParameterizedTest, so we can remove authorizationForProduceRequestVersionLessThan13 and authorizationFetchV12.