Implement review comments

Signed-off-by: JvD_Ericsson <jeff.van.dam@est.tech>

Author: JvD-Ericsson

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/KafkaCruiseControlServletApp.java

@@ -22,6 +22,8 @@
 import org.eclipse.jetty.ee10.servlet.ServletHolder;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 import jakarta.servlet.ServletException;
+import java.nio.file.Files;
+import java.nio.file.Path;
 import java.util.List;
 
 public class KafkaCruiseControlServletApp extends KafkaCruiseControlApp {
@@ -120,12 +122,14 @@ private void maybeConfigureTlsProtocolsAndCiphers(SslContextFactory sslContextFa
     protected void setupWebUi(ServletContextHandler contextHandler) {
         // Placeholder for any static content
         String webuiDir = _config.getString(WebServerConfig.WEBSERVER_UI_DISKPATH_CONFIG);
-        String webuiPathPrefix = _config.getString(WebServerConfig.WEBSERVER_UI_URLPREFIX_CONFIG);
-        DefaultServlet defaultServlet = new DefaultServlet();
-        ServletHolder holderWebapp = new ServletHolder("default", defaultServlet);
-        // holderWebapp.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
-        holderWebapp.setInitParameter("baseResource", webuiDir);
-        contextHandler.addServlet(holderWebapp, webuiPathPrefix);
+        Path path = Path.of(webuiDir);
+        if (Files.isDirectory(path) && Files.isReadable(path)) {
+            String webuiPathPrefix = _config.getString(WebServerConfig.WEBSERVER_UI_URLPREFIX_CONFIG);
+            DefaultServlet defaultServlet = new DefaultServlet();
+            ServletHolder holderWebapp = new ServletHolder("default", defaultServlet);
+            contextHandler.setBaseResourceAsString(webuiDir);
+            contextHandler.addServlet(holderWebapp, webuiPathPrefix);
+        }
     }
 
     protected ServletContextHandler createContextHandler() {

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/ExposedPropertyUserStore.java

@@ -0,0 +1,39 @@
+/*
+ * Copyright 2025 LinkedIn Corp. Licensed under the BSD 2-Clause License (the "License"). See License in the project root for license information.
+ */
+
+package com.linkedin.kafka.cruisecontrol.servlet;
+
+import org.eclipse.jetty.security.DefaultIdentityService;
+import org.eclipse.jetty.security.IdentityService;
+import org.eclipse.jetty.security.PropertyUserStore;
+import org.eclipse.jetty.security.RolePrincipal;
+import org.eclipse.jetty.security.UserIdentity;
+import org.eclipse.jetty.security.UserPrincipal;
+import java.util.List;
+import java.util.Set;
+
+public class ExposedPropertyUserStore extends PropertyUserStore {
+
+    private IdentityService _identityService = new DefaultIdentityService();
+
+    /**
+     * This method exposes the protected `_users` map inherited from
+     * UserStore, providing direct access to the stored users' names.
+     * @return the set of users' names
+     */
+    public Set<String> getUsersNames() {
+        return _users.keySet();
+    }
+
+    /**
+     * @param userName the user's name
+     * This method gets the UserIdentity for a given username.
+     * @return the UserIdentity
+     */
+    public UserIdentity getUserIdentity(String userName) {
+        UserPrincipal user = super.getUserPrincipal(userName);
+        List<RolePrincipal> roles = super.getRolePrincipals(userName);
+        return UserIdentityUtil.build(_identityService, user, roles);
+    }
+}

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/ExposedUserStore.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2025 LinkedIn Corp. Licensed under the BSD 2-Clause License (the "License"). See License in the project root for license information.
+ */
+
+package com.linkedin.kafka.cruisecontrol.servlet;
+
+import org.eclipse.jetty.security.DefaultIdentityService;
+import org.eclipse.jetty.security.IdentityService;
+import org.eclipse.jetty.security.RolePrincipal;
+import org.eclipse.jetty.security.UserIdentity;
+import org.eclipse.jetty.security.UserPrincipal;
+import org.eclipse.jetty.security.UserStore;
+import java.util.List;
+
+public class ExposedUserStore extends UserStore {
+
+    private IdentityService _identityService = new DefaultIdentityService();
+
+    /**
+     * @param userName the user's name
+     * This method gets the UserIdentity for a given username.
+     * @return the UserIdentity
+     */
+    public UserIdentity getUserIdentity(String userName) {
+        UserPrincipal user = super.getUserPrincipal(userName);
+        List<RolePrincipal> roles = super.getRolePrincipals(userName);
+        return UserIdentityUtil.build(_identityService, user, roles);
+    }
+}

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/UserIdentityUtil.java

@@ -0,0 +1,33 @@
+/*
+ * Copyright 2025 LinkedIn Corp. Licensed under the BSD 2-Clause License (the "License"). See License in the project root for license information.
+ */
+
+package com.linkedin.kafka.cruisecontrol.servlet;
+
+import org.eclipse.jetty.security.IdentityService;
+import org.eclipse.jetty.security.RolePrincipal;
+import org.eclipse.jetty.security.UserIdentity;
+import org.eclipse.jetty.security.UserPrincipal;
+import javax.security.auth.Subject;
+import java.security.Principal;
+import java.util.List;
+
+final class UserIdentityUtil {
+
+    private UserIdentityUtil() { }
+
+    static UserIdentity build(IdentityService ids, UserPrincipal user, List<RolePrincipal> rolePrincipals) {
+        if (user == null) {
+            return null;
+        }
+        Subject subject = new Subject();
+        subject.getPrincipals().add(user);
+        subject.getPrincipals().addAll(rolePrincipals);
+
+        String[] roles = rolePrincipals.stream()
+            .map(Principal::getName)
+            .toArray(String[]::new);
+
+        return ids.newUserIdentity(subject, user, roles);
+    }
+}

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/UserPermissionsManager.java

@@ -4,23 +4,15 @@
 
 package com.linkedin.kafka.cruisecontrol.servlet;
 
-import java.io.BufferedReader;
-import java.io.IOException;
-import java.io.InputStreamReader;
-import java.io.UncheckedIOException;
-import java.nio.charset.StandardCharsets;
 import java.util.Map;
 import java.util.Set;
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.stream.Collectors;
 import java.util.Collections;
 import com.linkedin.kafka.cruisecontrol.config.KafkaCruiseControlConfig;
 import org.eclipse.jetty.security.RolePrincipal;
 import org.eclipse.jetty.security.UserStore;
-import org.eclipse.jetty.security.PropertyUserStore;
 import com.linkedin.kafka.cruisecontrol.config.constants.WebServerConfig;
-import org.eclipse.jetty.server.handler.ResourceHandler;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.resource.ResourceFactory;
 import org.slf4j.Logger;
@@ -50,16 +42,14 @@ private Map<String, Set<String>> createRolesPerUsersMap() {
         boolean securityEnabled = _config.getBoolean(WebServerConfig.WEBSERVER_SECURITY_ENABLE_CONFIG);
         if (securityEnabled) {
             String privilegesFilePath = _config.getString(WebServerConfig.WEBSERVER_AUTH_CREDENTIALS_FILE_CONFIG);
-            Resource resource = ResourceFactory.of(new ResourceHandler()).newResource(privilegesFilePath);
-            UserStore userStore = createUserStoreFromResource(resource);
+            Resource resource = ResourceFactory.root().newResource(privilegesFilePath);
+            ExposedPropertyUserStore userStore = createUserStoreFromResource(resource);
             startUserStore(userStore);
 
-            Set<String> userNames = parseUsernames(resource);
+            Set<String> userNames = userStore.getUsersNames();
 
             for (String user : userNames) {
-                Set<RolePrincipal> roles = new HashSet<>(userStore.getRolePrincipals(user));
-
-                Set<String> roleNames = roles.stream()
+                Set<String> roleNames = userStore.getRolePrincipals(user).stream()
                         .map(RolePrincipal::getName)
                         .map(String::toUpperCase)
                         .collect(Collectors.toSet());
@@ -99,43 +89,12 @@ public Set<String> getRolesBy(String userName) {
 
     /** Creates UserStore from an external file
      *
-     * @param privilegedResource a filepath containing user privileges information
+     * @param privilegesResource a filepath containing user privileges information
      * @return a UserStore object
      */
-    private UserStore createUserStoreFromResource(Resource privilegedResource) {
-        PropertyUserStore userStore = new PropertyUserStore();
-        userStore.setConfig(privilegedResource);
+    private ExposedPropertyUserStore createUserStoreFromResource(Resource privilegesResource) {
+        ExposedPropertyUserStore userStore = new ExposedPropertyUserStore();
+        userStore.setConfig(privilegesResource);
         return userStore;
     }
-
-    /** Creates a set of usernames from a Resource
-     *
-     * @param resource a Resource containing user privileges information
-     * @return a Set of usernames parsed from the Resource
-     */
-    private static Set<String> parseUsernames(Resource resource) {
-        if (!resource.exists() || !resource.isReadable()) {
-            return Set.of();
-        }
-        Set<String> usernames = new HashSet<>();
-        try (BufferedReader reader = new BufferedReader(new InputStreamReader(resource.newInputStream(), StandardCharsets.UTF_8))) {
-            String line;
-            while ((line = reader.readLine()) != null) {
-                line = line.trim();
-                if (line.isEmpty() || line.startsWith("#")) {
-                    continue;
-                }
-                int colonIndex = line.indexOf(':');
-                if (colonIndex != -1) {
-                    String username = line.substring(0, colonIndex).trim();
-                    if (!username.isEmpty()) {
-                        usernames.add(username);
-                    }
-                }
-            }
-        } catch (IOException e) {
-            throw new UncheckedIOException("Failed to read usernames from " + resource, e);
-        }
-        return usernames;
-    }
 }

…ntrol/servlet/security/RoleProvider.java …rvlet/security/AuthorizationService.javacruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/security/RoleProvider.java renamed to cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/security/AuthorizationService.java cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/security/RoleProvider.java renamed to cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/security/AuthorizationService.java

@@ -4,18 +4,18 @@
 
 package com.linkedin.kafka.cruisecontrol.servlet.security;
 
+import org.eclipse.jetty.security.UserIdentity;
 import org.eclipse.jetty.server.Request;
 
 /**
  * An interface to get roles for a given user.
  */
-public interface RoleProvider {
+@FunctionalInterface
+public interface AuthorizationService {
     /**
-     * Get the roles for a given user.
-     *
-     * @param request  the request
-     * @param username the username
-     * @return the roles for the user or null if no roles found
+     * @param request the current request
+     * @param name the user name
+     * @return a {@link UserIdentity} to query for roles of the given user
      */
-    String[] rolesFor(Request request, String username);
+    UserIdentity getUserIdentity(Request request, String name);
 }

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/security/BasicSecurityProvider.java

@@ -10,7 +10,6 @@
 import org.eclipse.jetty.security.HashLoginService;
 import org.eclipse.jetty.security.LoginService;
 import org.eclipse.jetty.security.authentication.BasicAuthenticator;
-import org.eclipse.jetty.server.handler.ResourceHandler;
 import org.eclipse.jetty.util.resource.Resource;
 import org.eclipse.jetty.util.resource.ResourceFactory;
 
@@ -30,7 +29,7 @@ public void init(KafkaCruiseControlConfig config) {
 
   @Override
   public LoginService loginService() {
-    Resource resource = ResourceFactory.of(new ResourceHandler()).newResource(_userCredentialsFile);
+    Resource resource = ResourceFactory.root().newResource(_userCredentialsFile);
     return new HashLoginService("DefaultLoginService", resource);
   }
 

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/security/DefaultRoleSecurityProvider.java

@@ -11,6 +11,7 @@
 import java.util.List;
 import java.util.Set;
 import org.eclipse.jetty.ee10.servlet.security.ConstraintMapping;
+import org.eclipse.jetty.security.Authenticator;
 import org.eclipse.jetty.security.Constraint;
 
 
@@ -65,8 +66,11 @@ public Set<String> roles() {
   }
 
   private ConstraintMapping mapping(CruiseControlEndPoint endpoint, String... roles) {
-    Constraint.Builder builder = new Constraint.Builder();
-    Constraint constraint = builder.roles(roles).name("BASIC").authorization(Constraint.Authorization.SPECIFIC_ROLE).build();
+    Constraint constraint = new Constraint.Builder()
+        .name(Authenticator.BASIC_AUTH)
+        .roles(roles)
+        .authorization(Constraint.Authorization.SPECIFIC_ROLE)
+        .build();
     ConstraintMapping mapping = new ConstraintMapping();
     mapping.setPathSpec(_webServerApiUrlPrefix.replace("*", endpoint.name().toLowerCase()));
     mapping.setConstraint(constraint);

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/security/DummyLoginService.java

@@ -45,8 +45,8 @@ public void logout(UserIdentity user) {
         // dummy implementation
     }
 
-    @Override 
-    public UserIdentity login(String u, Object c, Request req, Function<Boolean, Session> getOrCreateSession) { 
+    @Override
+    public UserIdentity login(String u, Object c, Request req, Function<Boolean, Session> getOrCreateSession) {
         return null;
     }
 

cruise-control/src/main/java/com/linkedin/kafka/cruisecontrol/servlet/security/UserStoreAuthorizationService.java

@@ -0,0 +1,55 @@
+/*
+ * Copyright 2020 LinkedIn Corp. Licensed under the BSD 2-Clause License (the "License"). See License in the project root for license information.
+ */
+
+package com.linkedin.kafka.cruisecontrol.servlet.security;
+
+import com.linkedin.kafka.cruisecontrol.servlet.ExposedPropertyUserStore;
+import org.eclipse.jetty.security.UserIdentity;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.util.component.AbstractLifeCycle;
+import org.eclipse.jetty.util.resource.PathResourceFactory;
+import org.eclipse.jetty.util.resource.Resource;
+import java.nio.file.Path;
+
+/**
+ * Can be used for authorization scenarios where a file can be created in a secure location with a relatively
+ * low number of users. It follows the <code>username: password [,rolename ...]</code> format which corresponds to
+ * the format used with {@link org.eclipse.jetty.security.HashLoginService}.
+ */
+public class UserStoreAuthorizationService extends AbstractLifeCycle implements AuthorizationService {
+
+    private final ExposedPropertyUserStore _userStore;
+
+    public UserStoreAuthorizationService(String privilegesFilePath) {
+        this(userStoreFromFile(privilegesFilePath));
+    }
+
+    public UserStoreAuthorizationService(ExposedPropertyUserStore userStore) {
+        _userStore = userStore;
+    }
+
+    @Override
+    public UserIdentity getUserIdentity(Request request, String name) {
+        return _userStore.getUserIdentity(name);
+    }
+
+    @Override
+    protected void doStart() throws Exception {
+        super.doStart();
+        _userStore.start();
+    }
+
+    @Override
+    protected void doStop() throws Exception {
+        _userStore.stop();
+        super.doStop();
+    }
+
+    private static ExposedPropertyUserStore userStoreFromFile(String privilegesFilePath) {
+        ExposedPropertyUserStore userStore = new ExposedPropertyUserStore();
+        Resource res = new PathResourceFactory().newResource(Path.of(privilegesFilePath));
+        userStore.setConfig(res);
+        return userStore;
+    }
+}