security/acl: move get_resource_type body to acl.cc

pgellert · pgellert · commit 38d67f11fe9a · 2026-04-20T09:57:00.000+01:00
acl.h's consteval get_resource_type&lt;T&gt;() referenced
pandaproxy::schema_registry and kafka types inside its body, forcing
every consumer of security/acl.h to transitively pull both modules
through security's public API.

Move the body into acl.cc with explicit instantiations for the six
known types, matching the existing get_allowed_operations&lt;T&gt;() pattern
in the same file. Drop consteval since all call sites use the function
in runtime contexts. Move schema_registry:types and kafka/protocol
from security's deps to implementation_deps.

Rebuild fan-out on a types.h content-hash bump of
//src/v/pandaproxy/schema_registry/...:
  before: 347 CppCompile actions, 382.6s wall
  after:   71 CppCompile actions,  88.9s wall
  delta:  -276 actions (-79.5%), -294s (-76.8%)
diff --git a/src/v/security/BUILD b/src/v/security/BUILD
@@ -130,6 +130,8 @@ redpanda_cc_library(
         "types.h",
     ],
     implementation_deps = [
+        "//src/v/kafka/protocol",
+        "//src/v/pandaproxy/schema_registry:types",
         "//src/v/random:secure_random",
         "//src/v/thirdparty/krb5",
         "@abseil-cpp//absl/strings",
@@ -146,12 +148,10 @@ redpanda_cc_library(
         "//src/v/hashing:secure",
         "//src/v/http",
         "//src/v/json",
-        "//src/v/kafka/protocol",
         "//src/v/metrics",
         "//src/v/model",
         "//src/v/net",
         "//src/v/net:types",
-        "//src/v/pandaproxy/schema_registry:types",
         "//src/v/reflection:adl",
         "//src/v/security/audit:types",
         "//src/v/serde",
diff --git a/src/v/security/acl.cc b/src/v/security/acl.cc
@@ -12,6 +12,7 @@
 
 #include "absl/container/flat_hash_map.h"
 #include "absl/container/node_hash_map.h"
+#include "kafka/protocol/types.h"
 #include "pandaproxy/schema_registry/types.h"
 #include "security/acl_store.h"
 #include "security/logger.h"
@@ -832,6 +833,36 @@ void acl_binding_filter::testing_serde_full_read_v2(
     *this = acl_binding_filter{res._pattern, res._acl};
 }
 
+template<typename T>
+resource_type get_resource_type() {
+    if constexpr (std::is_same_v<T, model::topic>) {
+        return resource_type::topic;
+    } else if constexpr (std::is_same_v<T, kafka::group_id>) {
+        return resource_type::group;
+    } else if constexpr (std::is_same_v<T, acl_cluster_name>) {
+        return resource_type::cluster;
+    } else if constexpr (std::is_same_v<T, kafka::transactional_id>) {
+        return resource_type::transactional_id;
+    } else if constexpr (
+      std::is_same_v<T, pandaproxy::schema_registry::context_subject>) {
+        return resource_type::sr_subject;
+    } else if constexpr (
+      std::is_same_v<T, pandaproxy::schema_registry::registry_resource>) {
+        return resource_type::sr_registry;
+    } else {
+        static_assert(base::unsupported_type<T>::value, "Unsupported type");
+    }
+}
+
+template resource_type get_resource_type<model::topic>();
+template resource_type get_resource_type<kafka::group_id>();
+template resource_type get_resource_type<acl_cluster_name>();
+template resource_type get_resource_type<kafka::transactional_id>();
+template resource_type
+get_resource_type<pandaproxy::schema_registry::context_subject>();
+template resource_type
+get_resource_type<pandaproxy::schema_registry::registry_resource>();
+
 template<typename T>
 const std::vector<acl_operation>& get_allowed_operations() {
     static const std::vector<acl_operation> topic_resource_ops{
diff --git a/src/v/security/acl.h b/src/v/security/acl.h
@@ -13,9 +13,7 @@
 #include "absl/container/flat_hash_set.h"
 #include "base/seastarx.h"
 #include "base/type_traits.h"
-#include "kafka/protocol/types.h"
 #include "model/fundamental.h"
-#include "pandaproxy/schema_registry/types.h"
 #include "security/audit/schemas/types.h"
 #include "serde/envelope.h"
 #include "serde/rw/enum.h"
@@ -102,24 +100,7 @@ std::optional<resource_type>
 from_string_view<resource_type>(std::string_view str);
 
 template<typename T>
-consteval resource_type get_resource_type() {
-    namespace ppsr = pandaproxy::schema_registry;
-    if constexpr (std::is_same_v<T, model::topic>) {
-        return resource_type::topic;
-    } else if constexpr (std::is_same_v<T, kafka::group_id>) {
-        return resource_type::group;
-    } else if constexpr (std::is_same_v<T, security::acl_cluster_name>) {
-        return resource_type::cluster;
-    } else if constexpr (std::is_same_v<T, kafka::transactional_id>) {
-        return resource_type::transactional_id;
-    } else if constexpr (std::is_same_v<T, ppsr::context_subject>) {
-        return resource_type::sr_subject;
-    } else if constexpr (std::is_same_v<T, ppsr::registry_resource>) {
-        return resource_type::sr_registry;
-    } else {
-        static_assert(base::unsupported_type<T>::value, "Unsupported type");
-    }
-}
+resource_type get_resource_type();
 
 /*
  * A pattern rule for matching ACL resource names.
diff --git a/src/v/security/tests/BUILD b/src/v/security/tests/BUILD
@@ -75,6 +75,7 @@ redpanda_cc_gtest(
     ],
     deps = [
         "//src/v/config",
+        "//src/v/kafka/protocol",
         "//src/v/pandaproxy/schema_registry:types",
         "//src/v/random:generators",
         "//src/v/security",
diff --git a/src/v/security/tests/authorizer_test.cc b/src/v/security/tests/authorizer_test.cc
@@ -8,6 +8,7 @@
 // by the Apache License, Version 2.0
 #include "absl/container/flat_hash_set.h"
 #include "config/mock_property.h"
+#include "kafka/protocol/types.h"
 #include "pandaproxy/schema_registry/types.h"
 #include "random/generators.h"
 #include "security/acl.h"
