You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2021/12/06 18:07:52 UTC
[pulsar] branch branch-2.8 updated (d52fb1f -> e910bf0)
This is an automated email from the ASF dual-hosted git repository.
mmarshall pushed a change to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git.
from d52fb1f Update lombok to 1.18.22 (#12466)
new bbe6529 [Authorization] Support CLEAR_BACKLOG namespace op after enable auth (#12963)
new e910bf0 [Authorization] Revert new AuthorizationProvider method (#13133)
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../authorization/AuthorizationProvider.java | 10 ---
.../MultiRolesTokenAuthorizationProvider.java | 5 --
.../authorization/PulsarAuthorizationProvider.java | 8 +--
.../broker/auth/MockAuthorizationProvider.java | 6 --
.../api/AuthorizationProducerConsumerTest.java | 83 ++++++++++++++++++++--
.../impl/PatternTopicsConsumerImplAuthTest.java | 5 --
6 files changed, 79 insertions(+), 38 deletions(-)
[pulsar] 01/02: [Authorization] Support CLEAR_BACKLOG namespace op after enable auth (#12963)
Posted by mm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mmarshall pushed a commit to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit bbe65290a64d34f33f22f66c4f8adf46b28359a2
Author: Ruguo Yu <ji...@163.com>
AuthorDate: Fri Nov 26 18:42:31 2021 +0800
[Authorization] Support CLEAR_BACKLOG namespace op after enable auth (#12963)
(cherry picked from commit 64af8df83b7463d7e9231ddabc603705f15d30d6)
---
.../authorization/PulsarAuthorizationProvider.java | 1 +
.../api/AuthorizationProducerConsumerTest.java | 78 +++++++++++++++++++++-
2 files changed, 78 insertions(+), 1 deletion(-)
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
index 411c253..7be0cac 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -547,6 +547,7 @@ public class PulsarAuthorizationProvider implements AuthorizationProvider {
break;
case GET_TOPICS:
case UNSUBSCRIBE:
+ case CLEAR_BACKLOG:
isAuthorizedFuture = allowConsumeOpsAsync(namespaceName, role, authData);
break;
default:
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index 1af36f5..603a816 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -267,7 +267,7 @@ public class AuthorizationProducerConsumerTest extends ProducerConsumerBase {
Collections.singleton(AuthAction.consume));
// now, subscriptionRole have consume authorization on namespace, so it will successfully unsubscribe namespace
- superAdmin.namespaces().unsubscribeNamespaceBundle(namespace, "0x00000000_0xffffffff", subscriptionName2);
+ sub1Admin.namespaces().unsubscribeNamespaceBundle(namespace, "0x00000000_0xffffffff", subscriptionName2);
subscriptions = sub1Admin.topics().getSubscriptions(topicName);
assertEquals(subscriptions.size(), 1);
@@ -323,6 +323,82 @@ public class AuthorizationProducerConsumerTest extends ProducerConsumerBase {
}
@Test
+ public void testClearBacklogPermission() throws Exception {
+ log.info("-- Starting {} test --", methodName);
+
+ conf.setAuthorizationProvider(PulsarAuthorizationProvider.class.getName());
+ setup();
+
+ final String subscriptionRole = "sub-role";
+ final String subscriptionName = "sub1";
+ final String namespace = "my-property/my-ns-sub-auth";
+ final String topicName = "persistent://" + namespace + "/my-topic";
+ Authentication adminAuthentication = new ClientAuthentication("superUser");
+
+ clientAuthProviderSupportedRoles.add(subscriptionRole);
+
+ @Cleanup
+ PulsarAdmin superAdmin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString())
+ .authentication(adminAuthentication).build());
+
+ Authentication subAdminAuthentication = new ClientAuthentication(subscriptionRole);
+ @Cleanup
+ PulsarAdmin sub1Admin = spy(PulsarAdmin.builder().serviceHttpUrl(brokerUrl.toString())
+ .authentication(subAdminAuthentication).build());
+
+ superAdmin.clusters().createCluster("test",
+ ClusterData.builder().serviceUrl(brokerUrl.toString()).build());
+ superAdmin.tenants().createTenant("my-property",
+ new TenantInfoImpl(Sets.newHashSet(), Sets.newHashSet("test")));
+ superAdmin.namespaces().createNamespace(namespace, Sets.newHashSet("test"));
+ superAdmin.topics().createPartitionedTopic(topicName, 1);
+
+ // grant topic consume&produce authorization to the subscriptionRole
+ superAdmin.topics().grantPermission(topicName, subscriptionRole,
+ Sets.newHashSet(AuthAction.produce, AuthAction.consume));
+ replacePulsarClient(PulsarClient.builder()
+ .serviceUrl(pulsar.getBrokerServiceUrl())
+ .authentication(subAdminAuthentication));
+
+ @Cleanup
+ Producer<byte[]> batchProducer = pulsarClient.newProducer().topic(topicName)
+ .enableBatching(false)
+ .create();
+
+ @Cleanup
+ Consumer<byte[]> consumer = pulsarClient.newConsumer().topic(topicName)
+ .subscriptionInitialPosition(SubscriptionInitialPosition.Earliest)
+ .subscriptionName(subscriptionName)
+ .subscribe();
+
+ CompletableFuture<MessageId> completableFuture = new CompletableFuture<>();
+ for (int i = 0; i < 10; i++) {
+ completableFuture = batchProducer.sendAsync("a".getBytes());
+ }
+ completableFuture.get();
+ assertEquals(sub1Admin.topics().getStats(topicName + "-partition-0").getSubscriptions()
+ .get(subscriptionName).getMsgBacklog(), 10);
+
+ // subscriptionRole doesn't have namespace-level authorization, so it will fail to clear backlog
+ try {
+ sub1Admin.namespaces().clearNamespaceBundleBacklog(namespace, "0x00000000_0xffffffff");
+ fail("should have failed with authorization exception");
+ } catch (Exception e) {
+ assertTrue(e.getMessage().startsWith(
+ "Unauthorized to validateNamespaceOperation for operation [CLEAR_BACKLOG]"));
+ }
+
+ superAdmin.namespaces().grantPermissionOnNamespace(namespace, subscriptionRole,
+ Sets.newHashSet(AuthAction.consume));
+ // now, subscriptionRole have consume authorization on namespace, so it will successfully clear backlog
+ sub1Admin.namespaces().clearNamespaceBundleBacklog(namespace, "0x00000000_0xffffffff");
+ assertEquals(sub1Admin.topics().getStats(topicName + "-partition-0").getSubscriptions()
+ .get(subscriptionName).getMsgBacklog(), 0);
+
+ log.info("-- Exiting {} test --", methodName);
+ }
+
+ @Test
public void testSubscriptionPrefixAuthorization() throws Exception {
log.info("-- Starting {} test --", methodName);
[pulsar] 02/02: [Authorization] Revert new AuthorizationProvider method (#13133)
Posted by mm...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
mmarshall pushed a commit to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit e910bf0d6ce87938f06f14fb582763bce2da1789
Author: Michael Marshall <mm...@apache.org>
AuthorDate: Mon Dec 6 08:22:00 2021 -0600
[Authorization] Revert new AuthorizationProvider method (#13133)
(cherry picked from commit d1156caf0dbe8c04a604a28a32800281d7ee2d2a)
---
.../pulsar/broker/authorization/AuthorizationProvider.java | 10 ----------
.../authorization/MultiRolesTokenAuthorizationProvider.java | 5 -----
.../broker/authorization/PulsarAuthorizationProvider.java | 7 +------
.../apache/pulsar/broker/auth/MockAuthorizationProvider.java | 6 ------
.../pulsar/client/api/AuthorizationProducerConsumerTest.java | 5 -----
.../pulsar/client/impl/PatternTopicsConsumerImplAuthTest.java | 5 -----
6 files changed, 1 insertion(+), 37 deletions(-)
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
index 6e930a4..443a2a8 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
@@ -164,16 +164,6 @@ public interface AuthorizationProvider extends Closeable {
AuthenticationDataSource authenticationData);
/**
- * Allow consume operations with in this namespace
- * @param namespaceName The namespace that the consume operations can be executed in
- * @param role The role to check
- * @param authenticationData authentication data related to the role
- * @return a boolean to determine whether authorized or not
- */
- CompletableFuture<Boolean> allowConsumeOpsAsync(NamespaceName namespaceName, String role,
- AuthenticationDataSource authenticationData);
-
- /**
*
* Grant authorization-action permission on a namespace to the given client
*
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
index 0f6c2cb..23fb7bc 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
@@ -210,11 +210,6 @@ public class MultiRolesTokenAuthorizationProvider extends PulsarAuthorizationPro
}
@Override
- public CompletableFuture<Boolean> allowConsumeOpsAsync(NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) {
- return authorize(authenticationData, r -> super.allowConsumeOpsAsync(namespaceName, r, authenticationData));
- }
-
- @Override
public CompletableFuture<Boolean> allowTenantOperationAsync(String tenantName,
String role,
TenantOperation operation,
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
index 7be0cac..d276757 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -235,11 +235,6 @@ public class PulsarAuthorizationProvider implements AuthorizationProvider {
return allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.sinks);
}
- @Override
- public CompletableFuture<Boolean> allowConsumeOpsAsync(NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) {
- return allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.consume);
- }
-
private CompletableFuture<Boolean> allowTheSpecifiedActionOpsAsync(NamespaceName namespaceName, String role,
AuthenticationDataSource authenticationData,
AuthAction authAction) {
@@ -548,7 +543,7 @@ public class PulsarAuthorizationProvider implements AuthorizationProvider {
case GET_TOPICS:
case UNSUBSCRIBE:
case CLEAR_BACKLOG:
- isAuthorizedFuture = allowConsumeOpsAsync(namespaceName, role, authData);
+ isAuthorizedFuture = allowTheSpecifiedActionOpsAsync(namespaceName, role, authData, AuthAction.consume);
break;
default:
isAuthorizedFuture = CompletableFuture.completedFuture(false);
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAuthorizationProvider.java b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAuthorizationProvider.java
index ae9480b..421da4f 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAuthorizationProvider.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/broker/auth/MockAuthorizationProvider.java
@@ -105,12 +105,6 @@ public class MockAuthorizationProvider implements AuthorizationProvider {
}
@Override
- public CompletableFuture<Boolean> allowConsumeOpsAsync(NamespaceName namespaceName, String role,
- AuthenticationDataSource authenticationData) {
- return roleAuthorizedAsync(role);
- }
-
- @Override
public CompletableFuture<Void> grantPermissionAsync(NamespaceName namespace, Set<AuthAction> actions, String role,
String authDataJson) {
return CompletableFuture.completedFuture(null);
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index 603a816..78f71f2 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -614,11 +614,6 @@ public class AuthorizationProducerConsumerTest extends ProducerConsumerBase {
}
@Override
- public CompletableFuture<Boolean> allowConsumeOpsAsync(NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) {
- return null;
- }
-
- @Override
public CompletableFuture<Void> grantPermissionAsync(NamespaceName namespace, Set<AuthAction> actions,
String role, String authenticationData) {
return CompletableFuture.completedFuture(null);
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PatternTopicsConsumerImplAuthTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PatternTopicsConsumerImplAuthTest.java
index adb427d..af47c79 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PatternTopicsConsumerImplAuthTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/impl/PatternTopicsConsumerImplAuthTest.java
@@ -297,11 +297,6 @@ public class PatternTopicsConsumerImplAuthTest extends ProducerConsumerBase {
}
@Override
- public CompletableFuture<Boolean> allowConsumeOpsAsync(NamespaceName namespaceName, String role, AuthenticationDataSource authenticationData) {
- return null;
- }
-
- @Override
public CompletableFuture<Void> grantPermissionAsync(NamespaceName namespace, Set<AuthAction> actions,
String role, String authenticationData) {
return CompletableFuture.completedFuture(null);