api allows creation of namespaces with dot
Closed this issue · 4 comments
Describe the bug
kafkactl apply
allows to create a namespace whose name contains a dot, but forbids to use it.
To Reproduce
- Create a .yml resource file with
apiVersion: v1
kind: Namespace
metadata:
name: exam.ple
spec:
kafkaUser: ....
-
Apply the resource : creation is accepted
Namespace "exam.ple" created.
-
Get the namespaces : namespace is listed
-
Get topics inside this resource :
kafkactl -n exam.ple get topics
-> messageFailed because resource forbidden (403).
Expected behavior
As this name is invalid, creation should be rejected.
Or dots in names should be accepted, but I suppose it's not because of the confusion it implies (impossible to know if a.b.c
is topic c
in namespace a.b
or topic b.c
in namespace a
Environment (please complete the following information):
Kafkactl 1.11.3 + ns4kafka 1.11.8
Related to security rules denying special chars:
Going to do additional tests, but "." in namespace names should not be an issue
I made a test with a dot added in the regex, and everything seems ok for my use case.
This makes me realize there's a bug on topic ownership ACL here : https://github.com/michelin/ns4kafka/blob/master/src/main/java/com/michelin/ns4kafka/services/AccessControlEntryService.java#L106
Ns4kafka lets platform teams grant ownership on 2 distinct prefixes (say my.namespace-
and my_namespace-
). But for Kafka, this is a conflict. https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/internals/Topic.java#L108-L110
Unrelated to this PR, the bug was always there. Doesn't sound too critical @loicgreffier
Addressing it in #367