Auth acl v1.5

[novatechflow]

PR v1.5 roadmap: Auth, ACL coverage, and proxy protocol hardening

Summary

This PR implements the v1.5 auth groundwork: broker-side ACL enforcement improvements, connection-level principal plumbing with PROXY protocol support, expanded ACL test coverage, and documentation updates. It also adds rate-limited auth denial logs and tightens proxy protocol parsing behavior.

Key Changes

• Added connection-scoped auth context and PROXY protocol v1/v2 parsing for principal derivation.
• New principal sources via env: client_id (default), remote_addr, proxy_addr; with fail‑closed behavior when PROXY protocol is enabled.
• Rate-limited authorization‑denied logs + metrics for visibility.
• Expanded ACL tests (admin ops + group write paths) and e2e ACL coverage.
• Helm/operator wiring for new auth/principal envs.
• Docs updates: operations/security/protocol alignments, trust boundary notes, proxy header limits, fail‑closed behavior.
• Ignore local notes/ directory in .gitignore.

Details

• Broker auth plumbing
  • Conn context + principal source selection.
  • PROXY protocol parsing with v1 max header length and v2 LOCAL handling.
  • Fail‑closed when KAFSCALE_PROXY_PROTOCOL=true and header missing/invalid.
• ACL enforcement and tests
  • Unit/protocol tests for CreateTopics/DeleteTopics/AlterConfigs/CreatePartitions/DeleteGroups.
  • Unit/protocol tests for Join/Sync/Heartbeat/Leave/OffsetCommit.
  • e2e ACL test coverage (TestACLsE2E).
• Docs
  • Operations: principal source options, trust boundary, fail‑closed behavior, header limits, LOCAL note.
  • Security: ACL posture and proxy protocol notes.
  • Protocol: SASL handshake behavior clarified.
• Helm/Operator
  • New values + env passthrough for principal source and proxy protocol.

Tests

• make test
• make test-acl

Notes for Reviewers

• PROXY v1 header length is capped at 256 bytes (rejects oversized headers).
• PROXY v2 LOCAL is accepted (no identity); ensure LB health checks don’t require ACL-protected operations.
• ACLs with client_id remain spoofable unless trusted edge auth is enforced; warnings are logged on startup.

[kamir]

PR review — approve/close

Context applied: v1.5 “pragmatic auth groundwork” for OSS with K8s edge security.
Given this scope, I see no blocking issues.

Notes (non‑blocking, can follow up)

Multi‑group authorization in DescribeGroups/DeleteGroups is currently all‑or‑nothing; consider per‑group results later for correctness in mixed‑visibility scenarios.

Everything else aligns with the v1.5 plan (ACL checks, principal propagation, auth metrics/logs, console rate limiting, docs/tests).

[kamir]

Local tests are W.I.P.....

make test-acl => passed.

Ran: make test-acl
Result: e2e 9.070s

make test => passed.

Ran: make test (with escalated permissions)
Result: all packages ok; go vet + go test -race ./... succeeded.
Note: linker warnings about malformed LC_DYSYMTAB appeared for several test binaries, but tests completed successfully.