[pulsar] branch master updated: Fix subscription permission not working in reset cursor (#11132)

[pe...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

penghui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new da66d0e  Fix subscription permission not working in reset cursor (#11132)
da66d0e is described below

commit da66d0e2212c99a5a7e346c38778af0f1276e7d1
Author: Zhanpeng Wu <zh...@qq.com>
AuthorDate: Mon Jun 28 22:37:15 2021 +0800

    Fix subscription permission not working in reset cursor (#11132)
    
    ### Motivation
    
    Some `internalResetCursorXX` methods do not pass in the `subscriptionName` parameter when verifying permissions, which causes the `subscription` check to be skipped during the permission check of `AuthorizationProvider#canConsumeAsync` and leads an error validation result. This PR will fix this problem.
    
    ### Modifications
    
    Refine the parameters of `validateTopicOperation` and supplement a relative test case.
---
 .../org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java | 4 ++--
 .../pulsar/client/api/AuthorizationProducerConsumerTest.java      | 8 ++++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java
index 195bff4..5a3f88e 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java
@@ -1934,7 +1934,7 @@ public class PersistentTopicsBase extends AdminResource {
                                        boolean authoritative) {
         try {
             validateTopicOwnership(topicName, authoritative);
-            validateTopicOperation(topicName, TopicOperation.RESET_CURSOR);
+            validateTopicOperation(topicName, TopicOperation.RESET_CURSOR, subName);
 
             log.info("[{}] [{}] Received reset cursor on subscription {} to time {}",
                     clientAppId(), topicName, subName, timestamp);
@@ -2157,7 +2157,7 @@ public class PersistentTopicsBase extends AdminResource {
             return;
         } else {
             validateTopicOwnership(topicName, authoritative);
-            validateTopicOperation(topicName, TopicOperation.RESET_CURSOR);
+            validateTopicOperation(topicName, TopicOperation.RESET_CURSOR, subName);
 
             PersistentTopic topic = (PersistentTopic) getTopicReference(topicName);
             if (topic == null) {
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index 1e0700e..e346086 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -247,6 +247,14 @@ public class AuthorizationProducerConsumerTest extends ProducerConsumerBase {
             // Ok
         }
 
+        // reset on position
+        try {
+            sub1Admin.topics().resetCursor(topicName, subscriptionName, MessageId.earliest);
+            fail("should have fail with authorization exception");
+        } catch (org.apache.pulsar.client.admin.PulsarAdminException.NotAuthorizedException e) {
+            // Ok
+        }
+
         // now, grant subscription-access to subscriptionRole as well
         superAdmin.namespaces().grantPermissionOnSubscription(namespace, subscriptionName,
                 Sets.newHashSet(otherPrincipal, subscriptionRole));