You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/03/21 14:09:03 UTC
[GitHub] [pulsar] codelipenghui commented on a change in pull request #14747: [cleanup][broker]: Refactor PulsarAuthorizationProvider.
codelipenghui commented on a change in pull request #14747:
URL: https://github.com/apache/pulsar/pull/14747#discussion_r831148981
##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
##########
@@ -178,36 +156,13 @@ public void initialize(ServiceConfiguration conf, PulsarResources pulsarResource
@Override
public CompletableFuture<Boolean> canLookupAsync(TopicName topicName, String role,
AuthenticationDataSource authenticationData) {
- CompletableFuture<Boolean> finalResult = new CompletableFuture<Boolean>();
- canProduceAsync(topicName, role, authenticationData).whenComplete((produceAuthorized, ex) -> {
- if (ex == null) {
- if (produceAuthorized) {
- finalResult.complete(produceAuthorized);
- return;
- }
- } else {
- if (log.isDebugEnabled()) {
- log.debug(
- "Topic [{}] Role [{}] exception occurred while trying to check Produce permissions. {}",
- topicName.toString(), role, ex.getMessage());
Review comment:
Same as the above comment.
##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
##########
@@ -106,63 +104,43 @@ public void initialize(ServiceConfiguration conf, PulsarResources pulsarResource
@Override
public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role,
AuthenticationDataSource authenticationData, String subscription) {
- CompletableFuture<Boolean> permissionFuture = new CompletableFuture<>();
- try {
- pulsarResources.getNamespaceResources().getPoliciesAsync(topicName.getNamespaceObject())
- .thenAccept(policies -> {
- if (!policies.isPresent()) {
- if (log.isDebugEnabled()) {
- log.debug("Policies node couldn't be found for topic : {}", topicName);
- }
- } else {
- if (isNotBlank(subscription)) {
- // validate if role is authorize to access subscription. (skip validatation if authorization
- // list is empty)
- Set<String> roles = policies.get().auth_policies
- .getSubscriptionAuthentication().get(subscription);
- if (roles != null && !roles.isEmpty() && !roles.contains(role)) {
- log.warn("[{}] is not authorized to subscribe on {}-{}", role, topicName, subscription);
- permissionFuture.complete(false);
- return;
+ return pulsarResources.getNamespaceResources().getPoliciesAsync(topicName.getNamespaceObject())
+ .thenCompose(policies -> {
+ if (!policies.isPresent()) {
+ if (log.isDebugEnabled()) {
+ log.debug("Policies node couldn't be found for topic : {}", topicName);
}
+ } else {
+ if (isNotBlank(subscription)) {
+ // validate if role is authorized to access subscription. (skip validation if authorization
+ // list is empty)
+ Set<String> roles = policies.get().auth_policies
+ .getSubscriptionAuthentication().get(subscription);
+ if (roles != null && !roles.isEmpty() && !roles.contains(role)) {
+ log.warn("[{}] is not authorized to subscribe on {}-{}", role, topicName, subscription);
+ return CompletableFuture.completedFuture(false);
+ }
- // validate if subscription-auth mode is configured
- switch (policies.get().subscription_auth_mode) {
- case Prefix:
- if (!subscription.startsWith(role)) {
- PulsarServerException ex = new PulsarServerException(String.format(
- "Failed to create consumer - The subscription name needs to be prefixed by the "
- + "authentication role, like %s-xxxx for topic: %s", role, topicName));
- permissionFuture.completeExceptionally(ex);
- return;
+ // validate if subscription-auth mode is configured
+ if (policies.get().subscription_auth_mode != null) {
+ switch (policies.get().subscription_auth_mode) {
+ case Prefix:
+ if (!subscription.startsWith(role)) {
+ PulsarServerException ex = new PulsarServerException(String.format(
+ "Failed to create consumer - The subscription name needs to be"
+ + " prefixed by the authentication role, like %s-xxxx for topic: %s",
+ role, topicName));
+ return FutureUtil.failedFuture(ex);
+ }
+ break;
+ default:
+ break;
+ }
}
- break;
- default:
- break;
}
}
- }
- // check namespace and topic level consume-permissions
- checkAuthorization(topicName, role, AuthAction.consume).thenAccept(isAuthorized -> {
- permissionFuture.complete(isAuthorized);
- }).exceptionally(ex -> {
- log.warn("Client with Role - {} failed to get permissions for topic - {}. {}", role, topicName,
- ex.getMessage());
- permissionFuture.completeExceptionally(ex);
- return null;
+ return checkAuthorization(topicName, role, AuthAction.consume);
});
- }).exceptionally(ex -> {
- log.warn("Client with Role - {} failed to get permissions for topic - {}. {}", role, topicName,
- ex.getMessage());
- permissionFuture.completeExceptionally(ex);
- return null;
- });
- } catch (Exception e) {
- log.warn("Client with Role - {} failed to get permissions for topic - {}. {}", role, topicName,
Review comment:
After this change, we will remove this log? We'd better keep the behavior will not be changed.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org