Throughput limit exemptions for SR, PP #11692
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add a function to RpkTool to create an allow topic ACL for a user. A reusable part of acl_create_allow_cluster refactored.
dlex
commented
Jun 26, 2023
| // TBD: how to define the PP/SR ephemeral principal in one place | ||
| // and avoid dependency of `config` on `pandaproxy`? | ||
| YAML::Node service_node = node[ids::service]; | ||
| if (principal.name() == "__pandaproxy") { |
There was a problem hiding this comment.
@BenPope I'm looking for an advice from you what would be a good way to share this literal between pandaproxy and config.
There was a problem hiding this comment.
I guess we can move them to src/v/config.
BenPope
reviewed
Jun 28, 2023
| // TBD: how to define the PP/SR ephemeral principal in one place | ||
| // and avoid dependency of `config` on `pandaproxy`? | ||
| YAML::Node service_node = node[ids::service]; | ||
| if (principal.name() == "__pandaproxy") { |
There was a problem hiding this comment.
I guess we can move them to src/v/config.
| # - service: panda proxy | ||
| - name: match schema registry (principal 'ephemeral user') | ||
| principals: | ||
| - service: schema registry |
There was a problem hiding this comment.
Question: Why not keep this as security::principal_type? I.e., ephemeral_user rather than service?
I don't dislike it, but it adds an overloaded term.
There was a problem hiding this comment.
That would have exposed an implementation detail for the users. Currently the name of the ephemeral user used for SR/PP is not exposed anywhere, and is only a matter of the code. It can be e.g. a uuid as well, and it can be changed anytime.
Support --username/--password authentication options Add a function to check if the producer is running Log service name with progress messages so that in case of several producers running at the same time, it is possible to understand who is doing what
typos, renames, comments
when throughput group is matched, log the client address
Becasue of the unique_ptr involved, the default equality operator does not work correctly here.
`throughput_control_group` gets additional matching criteria by ACL principals (users, etc.). In yaml/json, there can now be a list of principals the group must match besides client_id if provided. Only the principal type `user` is supported in this commit.
Add user names to the matching pattern of throughput_control groups
acl_principal is now another key to snc_quotas_context. It is passed from the connection_context to create the context by matching with a tput ctrl group, and to verify whether the context is still valid.
A new test to verify that when a user matches a tput ctrl group, the connections authenticated by the user are not throttled while the rest still are.
to complement the logging of node configurations. Note that cluster_config.yaml records cluster config when nodes stop, whlie this log dumps the initial bootstrap config.
in tput group configuration, one can specify "service" instead of a "user", and specify SR or PP as the service, which internally transaltes into the corresponding acl principal
dlex
force-pushed
the
11438/tp-exemptions-for-principals
branch
from
f5bcee6
to
a562240
Compare
|
Force push: minor changes f/up review of #11555 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#11555 has introduced throughput limit exemptions for principal type
user. This change enhances that by introducing a special syntax of tput ctrl groups configuration that translates into the ephemeral users of PP and SR.Fixes #11438
Backports Required
Release Notes