You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by "michaeljmarshall (via GitHub)" <gi...@apache.org> on 2023/02/13 16:32:18 UTC
[GitHub] [pulsar] michaeljmarshall commented on a diff in pull request #19455: [improve][broker] Require authRole is proxyRole to set originalPrincipal
michaeljmarshall commented on code in PR #19455:
URL: https://github.com/apache/pulsar/pull/19455#discussion_r1104728175
##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java:
##########
@@ -293,19 +292,39 @@ public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName namespaceName,
return provider.allowSinkOpsAsync(namespaceName, role, authenticationData);
}
- private static void validateOriginalPrincipal(Set<String> proxyRoles, String authenticatedPrincipal,
- String originalPrincipal) {
- if (proxyRoles.contains(authenticatedPrincipal)) {
- // Request has come from a proxy
+ public boolean isValidOriginalPrincipal(String authenticatedPrincipal,
+ String originalPrincipal,
+ AuthenticationDataSource authDataSource) {
+ SocketAddress remoteAddress = authDataSource != null ? authDataSource.getPeerAddress() : null;
+ return isValidOriginalPrincipal(authenticatedPrincipal, originalPrincipal, remoteAddress);
+ }
+
+ /**
+ * Validates that the authenticatedPrincipal and the originalPrincipal are a valid combination.
+ * Valid combinations fulfill the following rule: the authenticatedPrincipal is in
+ * {@link ServiceConfiguration#getProxyRoles()}, if, and only if, the originalPrincipal is set to a role
+ * that is not also in {@link ServiceConfiguration#getProxyRoles()}.
+ * @return true when roles are a valid combination and false when roles are an invalid combination
+ */
+ public boolean isValidOriginalPrincipal(String authenticatedPrincipal,
+ String originalPrincipal,
+ SocketAddress remoteAddress) {
+ String errorMsg = null;
+ if (conf.getProxyRoles().contains(authenticatedPrincipal)) {
if (StringUtils.isBlank(originalPrincipal)) {
- log.warn("Original principal empty in request authenticated as {}", authenticatedPrincipal);
- throw new RestException(Response.Status.UNAUTHORIZED, "Original principal cannot be empty if the "
- + "request is via proxy.");
- }
- if (proxyRoles.contains(originalPrincipal)) {
- log.warn("Original principal {} cannot be a proxy role ({})", originalPrincipal, proxyRoles);
- throw new RestException(Response.Status.UNAUTHORIZED, "Original principal cannot be a proxy role");
+ errorMsg = "originalPrincipal must be provided when connecting with a proxy role.";
+ } else if (conf.getProxyRoles().contains(originalPrincipal)) {
+ errorMsg = "originalPrincipal cannot be a proxy role.";
}
+ } else if (StringUtils.isNotBlank(originalPrincipal)) {
+ errorMsg = "cannot specify originalPrincipal when connecting without valid proxy role.";
+ }
Review Comment:
I don't think so. As far as I can tell, there is no requirement for the proxy's role to be a super user. The current authorization logic verifies that the `authenticatedPrincipal` and the `originalPrincipal` both have permission to perform the attempted operation. It would be a change in this paradigm to start requiring the proxy role to be a super user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org