You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2020/12/10 08:47:32 UTC
[GitHub] [pulsar] zymap opened a new pull request #8893: (WIP)Add auth action for package management service
zymap opened a new pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893
---
Master Issue: #8676
*Motivation*
Add auth action 'package' for package management operations.
Only the role who is granted the 'package' permission can do
the package operations.
*Modifications*
- Add 'package' auth action and check the permissions when access the REST API
- Add integration test for this
*Verify this change*
- Add integraion test for this
<!--
### Contribution Checklist
- Name the pull request in the form "[Issue XYZ][component] Title of the pull request", where *XYZ* should be replaced by the actual issue number.
Skip *Issue XYZ* if there is no associated github issue for this pull request.
Skip *component* if you are unsure about which is the best component. E.g. `[docs] Fix typo in produce method`.
- Fill out the template below to describe the changes contributed by the pull request. That will give reviewers the context they need to do the review.
- Each pull request should address only one issue, not mix up code from multiple issues.
- Each commit in the pull request has a meaningful commit message
- Once all items of the checklist are addressed, remove the above text and this checklist, leaving only the filled out template below.
**(The sections below can be removed for hotfixes of typos)**
-->
*(If this PR fixes a github issue, please add `Fixes #<xyz>`.)*
Fixes #<xyz>
*(or if this PR is one task of a github issue, please add `Master Issue: #<xyz>` to link to the master issue.)*
Master Issue: #<xyz>
### Motivation
*Explain here the context, and why you're making that change. What is the problem you're trying to solve.*
### Modifications
*Describe the modifications you've done.*
### Verifying this change
- [ ] Make sure that the change passes the CI checks.
*(Please pick either of the following options)*
This change is a trivial rework / code cleanup without any test coverage.
*(or)*
This change is already covered by existing tests, such as *(please describe tests)*.
*(or)*
This change added tests and can be verified as follows:
*(example:)*
- *Added integration tests for end-to-end deployment with large payloads (10MB)*
- *Extended integration test for recovery after broker failure*
### Does this pull request potentially affect one of the following parts:
*If `yes` was chosen, please highlight the changes*
- Dependencies (does it add or upgrade a dependency): (yes / no)
- The public API: (yes / no)
- The schema: (yes / no / don't know)
- The default values of configurations: (yes / no)
- The wire protocol: (yes / no)
- The rest endpoints: (yes / no)
- The admin cli options: (yes / no)
- Anything that affects deployment: (yes / no / don't know)
### Documentation
- Does this pull request introduce a new feature? (yes / no)
- If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)
- If a feature is not applicable for documentation, explain why?
- If a feature is not documented yet in this PR, please create a followup issue for adding the documentation
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-745816023
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
sijie commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-754116465
> I found we only do the tenant admin check in it. Should we extend a more detailed check of the operations?
We need to add finer granular permissions for package management.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-762235491
@sijie I improve the auth implement. Please take a look when you have time. Thanks.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-762538495
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-762808982
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-753718229
@sijie I use the `allowNamespaceOperationAsync` for checking the permission. I found we only do the tenant admin check in it. Should we extend a more detailed check of the operations?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-763250904
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-745759416
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-762775544
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-762515999
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] codelipenghui merged pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
codelipenghui merged pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on a change in pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
sijie commented on a change in pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#discussion_r547425554
##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
##########
@@ -162,6 +162,24 @@
CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName namespaceName, String role,
AuthenticationDataSource authenticationData);
+ /**
+ * Check the a role has the permission to do the package operations in a namespace.
+ *
+ * @param namespaceName
+ * the namespace name you want to check
+ * @param role
+ * the role to check
+ * @param authenticationData
+ * authentication data related to the role
+ * @return
+ * a boolean value to determine whether authorized or not
+ */
+ default CompletableFuture<Boolean> canDoPackageOpsAsync(NamespaceName namespaceName, String role,
Review comment:
We need to add a method like https://github.com/apache/pulsar/pull/8893/files#diff-cea47b9766438a068de61669ccde5f4e8435941c8953edf176aa62ffddf80545R248. This is the new method of defining the permissions. Don't use the old pattern.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-762234604
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-753742917
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-745681018
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-764275484
Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on a change in pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
sijie commented on a change in pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#discussion_r548200592
##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
##########
@@ -162,6 +162,24 @@
CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName namespaceName, String role,
AuthenticationDataSource authenticationData);
+ /**
+ * Check the a role has the permission to do the package operations in a namespace.
+ *
+ * @param namespaceName
+ * the namespace name you want to check
+ * @param role
+ * the role to check
+ * @param authenticationData
+ * authentication data related to the role
+ * @return
+ * a boolean value to determine whether authorized or not
+ */
+ default CompletableFuture<Boolean> canDoPackageOpsAsync(NamespaceName namespaceName, String role,
Review comment:
https://github.com/apache/pulsar/blob/7c68ade453136895d19fa4723351d26256f3d624/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java#L434
Check this one.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-764275484
Thanks!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-759138332
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-748914487
@codelipenghui Please take a look when you have time. Thanks.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-754300580
@sijie Ok. I open a new issue #9122 to track that and reconsider the auth implement in the package management service. I will improve the permissions in the package management with another PR.
This PR enables the package manager has the ability to enable auth and access with the proper permissions. So could we merge this PR first?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-745968123
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on a change in pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on a change in pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#discussion_r547967109
##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
##########
@@ -162,6 +162,24 @@
CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName namespaceName, String role,
AuthenticationDataSource authenticationData);
+ /**
+ * Check the a role has the permission to do the package operations in a namespace.
+ *
+ * @param namespaceName
+ * the namespace name you want to check
+ * @param role
+ * the role to check
+ * @param authenticationData
+ * authentication data related to the role
+ * @return
+ * a boolean value to determine whether authorized or not
+ */
+ default CompletableFuture<Boolean> canDoPackageOpsAsync(NamespaceName namespaceName, String role,
Review comment:
It seems the link is the diff for this PR...
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] zymap commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
zymap commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-762605672
/pulsarbot run-failure-checks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] sijie commented on pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
sijie commented on pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893#issuecomment-754309642
@zymap why do you need a separate issue? We are introducing auth action for the first time. We should get the implementation correctly. Let's not merge this until we have a correct implementation.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [pulsar] codelipenghui merged pull request #8893: Add auth action for package management service
Posted by GitBox <gi...@apache.org>.
codelipenghui merged pull request #8893:
URL: https://github.com/apache/pulsar/pull/8893
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org