michelin/ns4kafka

api allows creation of namespaces with dot

Closed this issue · 4 comments

piif commented

Describe the bug

kafkactl apply allows to create a namespace whose name contains a dot, but forbids to use it.

To Reproduce

  1. Create a .yml resource file with
apiVersion: v1
kind: Namespace
metadata:
  name: exam.ple
spec:
  kafkaUser: ....
  1. Apply the resource : creation is accepted
    Namespace "exam.ple" created.

  2. Get the namespaces : namespace is listed

  3. Get topics inside this resource : kafkactl -n exam.ple get topics
    -> message Failed because resource forbidden (403).

Expected behavior

As this name is invalid, creation should be rejected.

Or dots in names should be accepted, but I suppose it's not because of the confusion it implies (impossible to know if a.b.c is topic c in namespace a.b or topic b.c in namespace a

Environment (please complete the following information):

Kafkactl 1.11.3 + ns4kafka 1.11.8

Related to security rules denying special chars:

"^\\/api\\/namespaces\\/(?<namespace>[a-zA-Z0-9_-]+)"

Going to do additional tests, but "." in namespace names should not be an issue

piif commented

I made a test with a dot added in the regex, and everything seems ok for my use case.

This makes me realize there's a bug on topic ownership ACL here : https://github.com/michelin/ns4kafka/blob/master/src/main/java/com/michelin/ns4kafka/services/AccessControlEntryService.java#L106
Ns4kafka lets platform teams grant ownership on 2 distinct prefixes (say my.namespace- and my_namespace-). But for Kafka, this is a conflict. https://github.com/apache/kafka/blob/trunk/clients/src/main/java/org/apache/kafka/common/internals/Topic.java#L108-L110

Unrelated to this PR, the bug was always there. Doesn't sound too critical @loicgreffier

Addressing it in #367