KAFKA-15370: ACL changes to support 2PC (KIP-939) (#19364)

rreddy-22 · web-flow · commit 598eb13d07e2 · 2025-04-15T08:39:46.000-07:00
This patch adds ACL support for 2PC as a part of KIP-939

A new value will be added to the enum AclOperation: TWO_PHASE_COMMIT
((byte) 15 .  When InitProducerId comes with enable2Pc=true, it would
have to have both WRITE and TWO_PHASE_COMMIT operation enabled on the
transactional id resource.

The kafka-acls.sh tool is going to support a new --operation
TwoPhaseCommit.

Reviewers: Artem Livshits &lt;alivshits@confluent.io&gt;, PoAn Yang
 &lt;poan.yang@suse.com&gt;, Justine Olshan &lt;jolshan@confluent.io&gt;
diff --git a/clients/src/main/java/org/apache/kafka/common/acl/AclOperation.java b/clients/src/main/java/org/apache/kafka/common/acl/AclOperation.java
@@ -112,7 +112,12 @@ public enum AclOperation {
     /**
      * DESCRIBE_TOKENS operation.
      */
-    DESCRIBE_TOKENS((byte) 14);
+    DESCRIBE_TOKENS((byte) 14),
+
+    /**
+     * TWO_PHASE_COMMIT operation.
+     */
+    TWO_PHASE_COMMIT((byte) 15);
 
     // Note: we cannot have more than 30 ACL operations without modifying the format used
     // to describe ACL operations in MetadataResponse.
diff --git a/clients/src/test/java/org/apache/kafka/common/acl/AclOperationTest.java b/clients/src/test/java/org/apache/kafka/common/acl/AclOperationTest.java
@@ -50,7 +50,8 @@ private static class AclOperationTestInfo {
         new AclOperationTestInfo(AclOperation.ALTER_CONFIGS, 11, "alter_configs", false),
         new AclOperationTestInfo(AclOperation.IDEMPOTENT_WRITE, 12, "idempotent_write", false),
         new AclOperationTestInfo(AclOperation.CREATE_TOKENS, 13, "create_tokens", false),
-        new AclOperationTestInfo(AclOperation.DESCRIBE_TOKENS, 14, "describe_tokens", false)
+        new AclOperationTestInfo(AclOperation.DESCRIBE_TOKENS, 14, "describe_tokens", false),
+        new AclOperationTestInfo(AclOperation.TWO_PHASE_COMMIT, 15, "two_phase_commit", false)
     };
 
     @Test
diff --git a/core/src/main/scala/kafka/server/KafkaApis.scala b/core/src/main/scala/kafka/server/KafkaApis.scala
@@ -1527,6 +1527,10 @@ class KafkaApis(val requestChannel: RequestChannel,
         requestHelper.sendErrorResponseMaybeThrottle(request, Errors.TRANSACTIONAL_ID_AUTHORIZATION_FAILED.exception)
         return
       }
+      if (initProducerIdRequest.enable2Pc() && !authHelper.authorize(request.context, TWO_PHASE_COMMIT, TRANSACTIONAL_ID, transactionalId)) {
+        requestHelper.sendErrorResponseMaybeThrottle(request, Errors.TRANSACTIONAL_ID_AUTHORIZATION_FAILED.exception)
+        return
+      }
     } else if (!authHelper.authorize(request.context, IDEMPOTENT_WRITE, CLUSTER, CLUSTER_NAME, true, false)
         && !authHelper.authorizeByResourceType(request.context, AclOperation.WRITE, ResourceType.TOPIC)) {
       requestHelper.sendErrorResponseMaybeThrottle(request, Errors.CLUSTER_AUTHORIZATION_FAILED.exception)
diff --git a/core/src/test/scala/unit/kafka/security/authorizer/AuthorizerTest.scala b/core/src/test/scala/unit/kafka/security/authorizer/AuthorizerTest.scala
@@ -395,9 +395,9 @@ class AuthorizerTest extends QuorumTestHarness with BaseAuthorizerTest {
   @ValueSource(strings = Array(KRAFT))
   def testAclInheritance(quorum: String): Unit = {
     testImplicationsOfAllow(AclOperation.ALL, Set(READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE,
-      CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, IDEMPOTENT_WRITE, CREATE_TOKENS, DESCRIBE_TOKENS))
+      CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, IDEMPOTENT_WRITE, CREATE_TOKENS, DESCRIBE_TOKENS, TWO_PHASE_COMMIT))
     testImplicationsOfDeny(AclOperation.ALL, Set(READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE,
-      CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, IDEMPOTENT_WRITE, CREATE_TOKENS, DESCRIBE_TOKENS))
+      CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, IDEMPOTENT_WRITE, CREATE_TOKENS, DESCRIBE_TOKENS, TWO_PHASE_COMMIT))
     testImplicationsOfAllow(READ, Set(DESCRIBE))
     testImplicationsOfAllow(WRITE, Set(DESCRIBE))
     testImplicationsOfAllow(DELETE, Set(DESCRIBE))
diff --git a/core/src/test/scala/unit/kafka/server/KafkaApisTest.scala b/core/src/test/scala/unit/kafka/server/KafkaApisTest.scala
@@ -1802,6 +1802,136 @@ class KafkaApisTest extends Logging {
     }
   }
 
+  @Test
+  def testInitProducerIdWithEnable2PcFailsWithoutTwoPhaseCommitAcl(): Unit = {
+    val transactionalId = "txnId"
+    addTopicToMetadataCache("topic", numPartitions = 1)
+
+    val initProducerIdRequest = new InitProducerIdRequest.Builder(
+      new InitProducerIdRequestData()
+        .setTransactionalId(transactionalId)
+        .setTransactionTimeoutMs(TimeUnit.MINUTES.toMillis(15).toInt)
+        .setEnable2Pc(true)
+        .setProducerId(RecordBatch.NO_PRODUCER_ID)
+        .setProducerEpoch(RecordBatch.NO_PRODUCER_EPOCH)
+    ).build(6.toShort) // Use version 6 which supports enable2Pc
+
+    val request = buildRequest(initProducerIdRequest)
+    val requestLocal = RequestLocal.withThreadConfinedCaching
+    val authorizer: Authorizer = mock(classOf[Authorizer])
+    kafkaApis = createKafkaApis(authorizer = Some(authorizer))
+
+    // Allow WRITE but deny TWO_PHASE_COMMIT
+    when(authorizer.authorize(
+      any(),
+      ArgumentMatchers.eq(Collections.singletonList(new Action(
+        AclOperation.WRITE,
+        new ResourcePattern(ResourceType.TRANSACTIONAL_ID, transactionalId, PatternType.LITERAL),
+        1,
+        true,
+        true)))
+    )).thenReturn(Collections.singletonList(AuthorizationResult.ALLOWED))
+
+    when(authorizer.authorize(
+      any(),
+      ArgumentMatchers.eq(Collections.singletonList(new Action(
+        AclOperation.TWO_PHASE_COMMIT,
+        new ResourcePattern(ResourceType.TRANSACTIONAL_ID, transactionalId, PatternType.LITERAL),
+        1,
+        true,
+        true)))
+    )).thenReturn(Collections.singletonList(AuthorizationResult.DENIED))
+
+    val capturedResponse = ArgumentCaptor.forClass(classOf[InitProducerIdResponse])
+
+    kafkaApis.handleInitProducerIdRequest(request, requestLocal)
+
+    verify(requestChannel).sendResponse(
+      ArgumentMatchers.eq(request),
+      capturedResponse.capture(),
+      ArgumentMatchers.eq(None)
+    )
+
+    assertEquals(Errors.TRANSACTIONAL_ID_AUTHORIZATION_FAILED.code, capturedResponse.getValue.data.errorCode)
+  }
+
+  @Test
+  def testInitProducerIdWithEnable2PcSucceedsWithTwoPhaseCommitAcl(): Unit = {
+    val transactionalId = "txnId"
+    addTopicToMetadataCache("topic", numPartitions = 1)
+
+    val initProducerIdRequest = new InitProducerIdRequest.Builder(
+      new InitProducerIdRequestData()
+        .setTransactionalId(transactionalId)
+        .setTransactionTimeoutMs(TimeUnit.MINUTES.toMillis(15).toInt)
+        .setEnable2Pc(true)
+        .setProducerId(RecordBatch.NO_PRODUCER_ID)
+        .setProducerEpoch(RecordBatch.NO_PRODUCER_EPOCH)
+    ).build(6.toShort) // Use version 6 which supports enable2Pc
+
+    val request = buildRequest(initProducerIdRequest)
+    val requestLocal = RequestLocal.withThreadConfinedCaching
+    val authorizer: Authorizer = mock(classOf[Authorizer])
+    kafkaApis = createKafkaApis(authorizer = Some(authorizer))
+
+    // Both permissions are allowed
+    when(authorizer.authorize(
+      any(),
+      ArgumentMatchers.eq(Collections.singletonList(new Action(
+        AclOperation.WRITE,
+        new ResourcePattern(ResourceType.TRANSACTIONAL_ID, transactionalId, PatternType.LITERAL),
+        1,
+        true,
+        true)))
+    )).thenReturn(Collections.singletonList(AuthorizationResult.ALLOWED))
+
+    when(authorizer.authorize(
+      any(),
+      ArgumentMatchers.eq(Collections.singletonList(new Action(
+        AclOperation.TWO_PHASE_COMMIT,
+        new ResourcePattern(ResourceType.TRANSACTIONAL_ID, transactionalId, PatternType.LITERAL),
+        1,
+        true,
+        true)))
+    )).thenReturn(Collections.singletonList(AuthorizationResult.ALLOWED))
+
+    val responseCallback = ArgumentCaptor.forClass(classOf[InitProducerIdResult => Unit])
+
+    when(txnCoordinator.handleInitProducerId(
+      ArgumentMatchers.eq(transactionalId),
+      anyInt(),
+      ArgumentMatchers.eq(true), // enable2Pc = true
+      anyBoolean(),
+      any(),
+      responseCallback.capture(),
+      ArgumentMatchers.eq(requestLocal)
+    )).thenAnswer(_ => responseCallback.getValue.apply(InitProducerIdResult(15L, 0.toShort, Errors.NONE)))
+
+    kafkaApis.handleInitProducerIdRequest(request, requestLocal)
+
+    // Verify coordinator was called with enable2Pc=true
+    verify(txnCoordinator).handleInitProducerId(
+      ArgumentMatchers.eq(transactionalId),
+      anyInt(),
+      ArgumentMatchers.eq(true), // enable2Pc = true
+      anyBoolean(),
+      any(),
+      any(),
+      ArgumentMatchers.eq(requestLocal)
+    )
+
+    val capturedResponse = ArgumentCaptor.forClass(classOf[InitProducerIdResponse])
+    verify(requestChannel).sendResponse(
+      ArgumentMatchers.eq(request),
+      capturedResponse.capture(),
+      ArgumentMatchers.eq(None)
+    )
+
+    assertEquals(Errors.NONE.code, capturedResponse.getValue.data.errorCode)
+    assertEquals(15L, capturedResponse.getValue.data.producerId)
+    assertEquals(0, capturedResponse.getValue.data.producerEpoch)
+  }
+
   @Test
   def testBatchedAddPartitionsToTxnRequest(): Unit = {
     val topic = "topic"
diff --git a/server/src/main/java/org/apache/kafka/security/authorizer/AclEntry.java b/server/src/main/java/org/apache/kafka/security/authorizer/AclEntry.java
@@ -38,6 +38,7 @@
 import static org.apache.kafka.common.acl.AclOperation.DESCRIBE_TOKENS;
 import static org.apache.kafka.common.acl.AclOperation.IDEMPOTENT_WRITE;
 import static org.apache.kafka.common.acl.AclOperation.READ;
+import static org.apache.kafka.common.acl.AclOperation.TWO_PHASE_COMMIT;
 import static org.apache.kafka.common.acl.AclOperation.WRITE;
 
 public class AclEntry {
@@ -59,7 +60,7 @@ public static Set<AclOperation> supportedOperations(ResourceType resourceType) {
             case CLUSTER:
                 return new HashSet<>(Arrays.asList(CREATE, CLUSTER_ACTION, DESCRIBE_CONFIGS, ALTER_CONFIGS, IDEMPOTENT_WRITE, ALTER, DESCRIBE));
             case TRANSACTIONAL_ID:
-                return new HashSet<>(Arrays.asList(DESCRIBE, WRITE));
+                return new HashSet<>(Arrays.asList(DESCRIBE, WRITE, TWO_PHASE_COMMIT));
             case DELEGATION_TOKEN:
                 return Set.of(DESCRIBE);
             case USER:
diff --git a/tools/src/test/java/org/apache/kafka/tools/AclCommandTest.java b/tools/src/test/java/org/apache/kafka/tools/AclCommandTest.java
@@ -65,6 +65,7 @@
 import static org.apache.kafka.common.acl.AclOperation.DESCRIBE_TOKENS;
 import static org.apache.kafka.common.acl.AclOperation.IDEMPOTENT_WRITE;
 import static org.apache.kafka.common.acl.AclOperation.READ;
+import static org.apache.kafka.common.acl.AclOperation.TWO_PHASE_COMMIT;
 import static org.apache.kafka.common.acl.AclOperation.WRITE;
 import static org.apache.kafka.common.acl.AclPermissionType.ALLOW;
 import static org.apache.kafka.common.acl.AclPermissionType.DENY;
@@ -160,8 +161,8 @@ public class AclCommandTest {
             Set.of(READ, DESCRIBE, DELETE),
             List.of(OPERATION, "Read", OPERATION, "Describe", OPERATION, "Delete")),
         TRANSACTIONAL_ID_RESOURCES, Map.entry(
-            Set.of(DESCRIBE, WRITE),
-            List.of(OPERATION, "Describe", OPERATION, "Write")),
+            Set.of(DESCRIBE, WRITE, TWO_PHASE_COMMIT),
+            List.of(OPERATION, "Describe", OPERATION, "Write", OPERATION, "TwoPhaseCommit")),
         TOKEN_RESOURCES, Map.entry(
             Set.of(DESCRIBE),
             List.of(OPERATION, "Describe")),
