From 257fe083ac52c0a6e56dd1e929564631750e2ee3 Mon Sep 17 00:00:00 2001 From: Michal Maslanka Date: Wed, 31 Mar 2021 11:41:17 +0200 Subject: [PATCH 1/4] k/config_utils: added function template to authorize config resources Both `IncrementalAlterConfigs` and `AlterConfigs` Kafka APIs are very similar in their structure. Added function template that perform authorization for both API types. Signed-off-by: Michal Maslanka --- .../server/handlers/configs/config_utils.h | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/src/v/kafka/server/handlers/configs/config_utils.h b/src/v/kafka/server/handlers/configs/config_utils.h index 12ef1e071c676..2a561c70f60d4 100644 --- a/src/v/kafka/server/handlers/configs/config_utils.h +++ b/src/v/kafka/server/handlers/configs/config_utils.h @@ -20,6 +20,7 @@ #include "kafka/server/request_context.h" #include "kafka/types.h" #include "outcome.h" +#include "security/acl.h" #include #include @@ -69,6 +70,61 @@ T make_error_alter_config_resource_response( .resource_type = resource.resource_type, .resource_name = resource.resource_name}; } +/** + * Authorizes groupped alter configuration resources, it returns not authorized + * responsens and modifies passed in group_resources + */ +template +std::vector authorize_alter_config_resources( + request_context& ctx, groupped_resources& to_authorize) { + std::vector not_authorized; + /** + * Check broker configuration authorization + */ + if ( + !to_authorize.broker_changes.empty() + && !ctx.authorized( + security::acl_operation::alter_configs, + security::default_cluster_name)) { + // not allowed + std::transform( + to_authorize.broker_changes.begin(), + to_authorize.broker_changes.end(), + std::back_inserter(not_authorized), + [](T& res) { + return make_error_alter_config_resource_response( + res, error_code::cluster_authorization_failed); + }); + // all broker changes have to be dropped + to_authorize.broker_changes.clear(); + } + + /** + * Check topic configuration authorization + */ + auto unauthorized_it = std::partition( + to_authorize.topic_changes.begin(), + to_authorize.topic_changes.end(), + [&ctx](const T& res) { + return ctx.authorized( + security::acl_operation::alter_configs, + model::topic(res.resource_name)); + }); + + std::transform( + unauthorized_it, + to_authorize.topic_changes.end(), + std::back_inserter(not_authorized), + [](T& res) { + return make_error_alter_config_resource_response( + res, error_code::topic_authorization_failed); + }); + + to_authorize.topic_changes.erase( + unauthorized_it, to_authorize.topic_changes.end()); + + return not_authorized; +} template ss::future> do_alter_topics_configuration( From 7cfb96477ade6925b919c7cb8352559233c2c68a Mon Sep 17 00:00:00 2001 From: Michal Maslanka Date: Wed, 31 Mar 2021 11:43:31 +0200 Subject: [PATCH 2/4] k/alter_configs: added authorization to alter configs api Signed-off-by: Michal Maslanka --- src/v/kafka/server/handlers/alter_configs.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/v/kafka/server/handlers/alter_configs.cc b/src/v/kafka/server/handlers/alter_configs.cc index c3907aaf6415e..3b6d407f94c5a 100644 --- a/src/v/kafka/server/handlers/alter_configs.cc +++ b/src/v/kafka/server/handlers/alter_configs.cc @@ -172,6 +172,10 @@ ss::future alter_configs_handler::handle( auto groupped = group_alter_config_resources( std::move(request.data.resources)); + auto unauthorized_responsens = authorize_alter_config_resources< + alter_configs_resource, + alter_configs_resource_response>(ctx, groupped); + std::vector>> futures; futures.reserve(2); @@ -181,6 +185,8 @@ ss::future alter_configs_handler::handle( alter_broker_configuartion(std::move(groupped.broker_changes))); auto ret = co_await ss::when_all_succeed(futures.begin(), futures.end()); + // include authorization errors + ret.push_back(std::move(unauthorized_responsens)); co_return co_await ctx.respond( assemble_alter_config_response< From 41c1fc55daed0c194222bab828e3d6753823b483 Mon Sep 17 00:00:00 2001 From: Michal Maslanka Date: Wed, 31 Mar 2021 11:44:02 +0200 Subject: [PATCH 3/4] k/incremenatl_alter_configs: added authorization Signed-off-by: Michal Maslanka --- src/v/kafka/server/handlers/incremental_alter_configs.cc | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/v/kafka/server/handlers/incremental_alter_configs.cc b/src/v/kafka/server/handlers/incremental_alter_configs.cc index c4455685f76ab..efdd6fe95444d 100644 --- a/src/v/kafka/server/handlers/incremental_alter_configs.cc +++ b/src/v/kafka/server/handlers/incremental_alter_configs.cc @@ -218,6 +218,10 @@ ss::future incremental_alter_configs_handler::handle( auto groupped = group_alter_config_resources( std::move(request.data.resources)); + auto unauthorized_responsens = authorize_alter_config_resources< + incremental_alter_configs_resource, + resp_resource_t>(ctx, groupped); + std::vector>> futures; futures.reserve(2); futures.push_back(alter_topic_configuration( @@ -226,6 +230,8 @@ ss::future incremental_alter_configs_handler::handle( alter_broker_configuartion(std::move(groupped.broker_changes))); auto ret = co_await ss::when_all_succeed(futures.begin(), futures.end()); + // include authorization errors + ret.push_back(std::move(unauthorized_responsens)); co_return co_await ctx.respond(assemble_alter_config_response< incremental_alter_configs_response, From 8681bcf397840149cb7711e7743809eef2465753 Mon Sep 17 00:00:00 2001 From: Michal Maslanka Date: Wed, 31 Mar 2021 11:49:43 +0200 Subject: [PATCH 4/4] k/describe_configs: added describe configs authorization Signed-off-by: Michal Maslanka --- src/v/kafka/server/handlers/describe_configs.cc | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/src/v/kafka/server/handlers/describe_configs.cc b/src/v/kafka/server/handlers/describe_configs.cc index f97c71f5eaf5b..d2219ac698313 100644 --- a/src/v/kafka/server/handlers/describe_configs.cc +++ b/src/v/kafka/server/handlers/describe_configs.cc @@ -21,6 +21,7 @@ #include "model/metadata.h" #include "model/namespace.h" #include "model/validation.h" +#include "security/acl.h" #include "ssx/sformat.h" #include @@ -303,6 +304,9 @@ ss::future describe_configs_handler::handle( describe_configs_response response; response.data.results.reserve(request.data.resources.size()); + bool cluster_authorized = ctx.authorized( + security::acl_operation::describe_configs, + security::default_cluster_name); for (auto& resource : request.data.resources) { response.data.results.push_back(describe_configs_result{ @@ -329,6 +333,12 @@ ss::future describe_configs_handler::handle( result.error_code = error_code::unknown_topic_or_partition; continue; } + + if (!ctx.authorized( + security::acl_operation::describe_configs, topic.tp)) { + result.error_code = error_code::topic_authorization_failed; + continue; + } /** * Redpanda extensions */ @@ -407,6 +417,10 @@ ss::future describe_configs_handler::handle( } case config_resource_type::broker: + if (!cluster_authorized) { + result.error_code = error_code::cluster_authorization_failed; + continue; + } report_broker_config(result, request.data.include_synonyms); break;