[fix][broker] Fix tenant admin authorization bug.#20068
Conversation
dragonls
force-pushed
the
master-fix-tenant-admin-auth
branch
from
093e668 to
78d265f
Compare
|
In fact, there are many places in the current code that check the permission of super user or tenant admin:
Maybe we need to uniformly add/update permission check wherever we need. And also remove some reduplicated check, for example:
I am just afaid that there are still some authorization bug not found. What do you think? @Technoboy- @nodece |
|
I know these cases, I want to deprecate the |
Sounds good. I can do this after this PR merged. |
Yes, this will keep the logic the same. But we'd better discuss it in the dev mail list first. |
|
Make sense. I also find some function in Maybe we can do the same thing. |
|
/pulsarbot rerun-failure-checks |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #20068 +/- ##
=============================================
+ Coverage 24.26% 72.96% +48.69%
- Complexity 294 31823 +31529
=============================================
Files 1609 1868 +259
Lines 125669 138332 +12663
Branches 13707 15220 +1513
=============================================
+ Hits 30490 100930 +70440
+ Misses 90689 29390 -61299
- Partials 4490 8012 +3522
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
michaeljmarshall
left a comment
michaeljmarshall
left a comment
There was a problem hiding this comment.
I don't think we want to change the canProduceAsync and canConsumeAsync methods. Instead, we can change the calling code. Let me know what you think.
I didn't find dead loop. Can you be more specific? |
Sorry that I provide an incorrect review. |
|
/pulsarbot rerun-failure-checks |
|
Thank @dragonls for your contribution! |
…)" This reverts commit fc17c1d.
…ache#20068)"" This reverts commit bc3346a.
…20142) Fixes: #20066 ### Motivation In #20068 we changed the way that the `AuthorizationService` is implemented. I think we should change the `Consumer` and the `Producer` logic to call the correct `AuthorizationService` method. Given that our goal is to deprecate the `AuthorizationService` methods for `canProduce` and `canConsume`, this change helps us move in the right direction. ### Modifications * Update `Producer` and `Consumer` in broker to call the `AuthorizationService#allowTopicOperationAsync` method. ### Verifying this change This change is trivial. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping PR as I ran tests locally.
…#20143) This reverts commit fc17c1d. ### Motivation In #20068 we changed the way that the `AuthorizationService` is implemented. I think this approach could have unintended consequences. Instead, I think we should change the `Consumer` and the `Producer` logic to call the correct `AuthorizationService` method. I propose an update to the `Consumer` and `Producer` logic here #20142. Given that our goal is to deprecate the `AuthorizationService` methods for `canProduce` and `canConsume`, I think we should not change their implementations. ### Modifications * Revert #20068 ### Verifying this change This change is trivial. It removes certain test changes that were only made to make the previous PR work. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping PR as I ran tests locally.
OK. I looked into all relative discussion, the right direction seems to be:
|
|
To avoid conflicts, I cherry-picked all three patches into branch |
Co-authored-by: druidliu <druidliu@tencent.com> (cherry picked from commit fc17c1d)
…20142) Fixes: #20066 ### Motivation In #20068 we changed the way that the `AuthorizationService` is implemented. I think we should change the `Consumer` and the `Producer` logic to call the correct `AuthorizationService` method. Given that our goal is to deprecate the `AuthorizationService` methods for `canProduce` and `canConsume`, this change helps us move in the right direction. ### Modifications * Update `Producer` and `Consumer` in broker to call the `AuthorizationService#allowTopicOperationAsync` method. ### Verifying this change This change is trivial. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping PR as I ran tests locally. (cherry picked from commit dc5e497)
…#20143) This reverts commit fc17c1d. ### Motivation In #20068 we changed the way that the `AuthorizationService` is implemented. I think this approach could have unintended consequences. Instead, I think we should change the `Consumer` and the `Producer` logic to call the correct `AuthorizationService` method. I propose an update to the `Consumer` and `Producer` logic here #20142. Given that our goal is to deprecate the `AuthorizationService` methods for `canProduce` and `canConsume`, I think we should not change their implementations. ### Modifications * Revert #20068 ### Verifying this change This change is trivial. It removes certain test changes that were only made to make the previous PR work. ### Documentation - [x] `doc-not-needed` ### Matching PR in forked repository PR in forked repository: Skipping PR as I ran tests locally. (cherry picked from commit 00dc7a0)
7 participants
Fixes #20066
Motivation
Fixes the bug that producers/consumers will all disconnect while using tenant admin to produce/consume.
The root cause is that the permission check logic is not the same bewteen
org.apache.pulsar.broker.service.ServerCnxandorg.apache.pulsar.broker.service.persistent.PersistentTopic#onPoliciesUpdate.In
org.apache.pulsar.broker.service.ServerCnx, whilehandleProducerandhandleSubscribe, the permission check will go toisTopicOperationAllowedand finally be processed byorg.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#allowTopicOperationAsync, which willvalidateTenantAdminAccess. Everything is fine.In
org.apache.pulsar.broker.service.persistent.PersistentTopic#onPoliciesUpdate, it checks the permission byproducer.checkPermissionsAsyncandconsumer.checkPermissionsAsync. Let's take the processing logic of the producer as an example. It will be processed byorg.apache.pulsar.broker.authorization.AuthorizationService#canProduceAsyncand finallyorg.apache.pulsar.broker.authorization.PulsarAuthorizationProvider#canProduceAsync. The tenant admin can not pass the check.Modifications
Update
org.apache.pulsar.broker.authorization.AuthorizationProvider#canProduceAsynctoorg.apache.pulsar.broker.authorization.AuthorizationProvider#allowTopicOperationAsyncinorg.apache.pulsar.broker.authorization.AuthorizationService#canProduceAsync. So doorg.apache.pulsar.broker.authorization.AuthorizationService#canConsumeAsyncandorg.apache.pulsar.broker.authorization.AuthorizationService#canLookupAsyncVerifying this change
This change added tests and can be verified as follows:
org.apache.pulsar.broker.auth.AuthorizationTest#simpleorg.apache.pulsar.websocket.proxy.ProxyAuthorizationTestDoes this pull request potentially affect one of the following parts:
If the box was checked, please highlight the changes
Documentation
docdoc-requireddoc-not-neededdoc-completeMatching PR in forked repository
PR in forked repository: dragonls#7