[CORE-13170] - Support SR ACLs in DescribeACLs #27295
Open
+241
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Pull Request Overview
This PR adds support for describing Schema Registry (SR) ACLs through the DescribeACLs Kafka API by introducing a new tagged boolean field describe_registry_acls to differentiate between Kafka and SR ACL requests.
Key changes:
- Added a new tagged field to
describe_acls_requestanddescribe_acls_responseprotocol messages - Modified ACL handling logic to route requests to appropriate resource type converters based on the new field
- Added comprehensive test coverage for the new functionality
Reviewed Changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
src/v/kafka/protocol/schemata/describe_acls_request.json |
Added DescribeRegistryAcls tagged boolean field to request schema |
src/v/kafka/protocol/schemata/describe_acls_response.json |
Added DescribeRegistryAcls tagged boolean field to response schema |
src/v/kafka/server/handlers/details/security.h |
Added to_registry_resource_type conversion function and updated filtering logic |
src/v/kafka/server/handlers/describe_acls.cc |
Modified response handling to use appropriate resource type converter |
src/v/kafka/server/tests/describe_acls_test.cc |
Added comprehensive test cases for SR ACL describe functionality |
src/v/kafka/server/tests/BUILD |
Added build configuration for new test file |
|
|
||
| kafka::describe_acls_request req; | ||
| req.data.describe_registry_acls = false; | ||
| req.data.resource_type = 1; |
There was a problem hiding this comment.
Magic number 1 should be replaced with a named constant or enum value to improve code readability and maintainability.
Suggested change
| req.data.resource_type = 1; | |
| req.data.resource_type = kafka::resource_type::topic; |
Copilot uses AI. Check for mistakes.
| kafka::describe_acls_request req; | ||
| req.data.describe_registry_acls = false; | ||
| req.data.resource_type = 1; | ||
| req.data.resource_pattern_type = 1; |
There was a problem hiding this comment.
Magic number 1 should be replaced with a named constant or enum value to improve code readability and maintainability.
Suggested change
| req.data.resource_pattern_type = 1; | |
| req.data.resource_pattern_type = kafka::resource_pattern_type::literal; |
Copilot uses AI. Check for mistakes.
| req.data.describe_registry_acls = false; | ||
| req.data.resource_type = 1; | ||
| req.data.resource_pattern_type = 1; | ||
| req.data.operation = 1; |
There was a problem hiding this comment.
Magic number 1 should be replaced with a named constant or enum value to improve code readability and maintainability.
Suggested change
| req.data.operation = 1; | |
| req.data.operation = kafka::acl_operation::read; |
Copilot uses AI. Check for mistakes.
| req.data.resource_type = 1; | ||
| req.data.resource_pattern_type = 1; | ||
| req.data.operation = 1; | ||
| req.data.permission_type = 1; |
There was a problem hiding this comment.
Magic number 1 should be replaced with a named constant or enum value to improve code readability and maintainability.
Suggested change
| req.data.permission_type = 1; | |
| req.data.permission_type = kafka::acl_permission_type::allow; |
Copilot uses AI. Check for mistakes.
| BOOST_REQUIRE(!resp.data.describe_registry_acls); | ||
| BOOST_REQUIRE_EQUAL(resp.data.error_code, kafka::error_code::none); | ||
| BOOST_REQUIRE_EQUAL(resp.data.resources.size(), 1); | ||
| BOOST_REQUIRE_EQUAL(resp.data.resources[0].type, 2); |
There was a problem hiding this comment.
Magic number 2 should be replaced with a named constant or enum value to improve code readability and maintainability.
Suggested change
| BOOST_REQUIRE_EQUAL(resp.data.resources[0].type, 2); | |
| BOOST_REQUIRE_EQUAL( | |
| resp.data.resources[0].type, | |
| static_cast<int8_t>(security::resource_type::topic)); |
Copilot uses AI. Check for mistakes.
| req.data.describe_registry_acls = false; | ||
| // Request SR_SUBJECT resource type, which is invalid if | ||
| // describe_registry_acls is false | ||
| req.data.resource_type = 100; |
There was a problem hiding this comment.
Magic number 100 should be replaced with a named constant or enum value to improve code readability and maintainability.
Suggested change
| req.data.resource_type = 100; | |
| req.data.resource_type = static_cast<int8_t>(security::resource_type::sr_subject); |
Copilot uses AI. Check for mistakes.
| req.data.describe_registry_acls = true; | ||
| // Request TOPIC resource type, which is invalid if describe_registry_acls | ||
| // is true | ||
| req.data.resource_type = 2; |
There was a problem hiding this comment.
Magic number 2 should be replaced with a named constant or enum value to improve code readability and maintainability.
Suggested change
| req.data.resource_type = 2; | |
| req.data.resource_type = static_cast<int8_t>(kafka::resource_type::topic); |
Copilot uses AI. Check for mistakes.
michael-redpanda
force-pushed
the
dr/acl/support-sr-acls
branch
from
6add5fc to
c813ff9
Compare
|
Force push:
|
michael-redpanda
force-pushed
the
dr/acl/support-sr-acls
branch
from
c813ff9 to
7997f68
Compare
|
Force push:
|
CI test resultstest results on build#71012
test results on build#71110
test results on build#71401
|
dotnwat
reviewed
Aug 19, 2025
michael-redpanda
force-pushed
the
dr/acl/support-sr-acls
branch
from
7997f68 to
2224ade
Compare
|
Force push:
|
Field used to indicate if DescribeAclsRequest or DescribeAclsResponse contains only Schema Registry resources. Signed-off-by: Michael Boquard <[email protected]>
michael-redpanda
force-pushed
the
dr/acl/support-sr-acls
branch
from
2224ade to
817bac5
Compare
|
Force push:
|
michael-redpanda
force-pushed
the
dr/acl/support-sr-acls
branch
from
817bac5 to
47e9d18
Compare
|
Force push:
|
oleiman
previously approved these changes
Aug 25, 2025
Comment on lines
271
to
275
| default: | ||
| vassert(false, "Request only for Schema Registry resources"); |
There was a problem hiding this comment.
nitpick(pedantic): prefer exhaustive switch cases
BenPope
reviewed
Aug 26, 2025
michael-redpanda
force-pushed
the
dr/acl/support-sr-acls
branch
from
47e9d18 to
4baa4bb
Compare
|
Force push:
|
If this new tagged field is true, then return Schema Registry resources in the DescribeAcls response. Will also accept SR resource types if the new tagged field is true. Signed-off-by: Michael Boquard <[email protected]>
michael-redpanda
force-pushed
the
dr/acl/support-sr-acls
branch
from
4baa4bb to
3692072
Compare
|
Force push:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds support for describe SR resource based ACLs via the DescribeACLs API. This adds a new tagged field to the
describe_acls_requestanddescribe_acls_responsemessages that is used to indicate whether or not the request is for describing SR ACLs or Kafka ACLs.Backports Required
Release Notes