You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2021/09/17 01:06:27 UTC
[pulsar] branch master updated: [Broker] Optimize authz checks in
ServerCnx when authz is not enabled (#12067)
This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new c32b524 [Broker] Optimize authz checks in ServerCnx when authz is not enabled (#12067)
c32b524 is described below
commit c32b52454ae5677bc61e15047d56ee3702b38300
Author: Michael Marshall <mi...@datastax.com>
AuthorDate: Thu Sep 16 20:04:21 2021 -0500
[Broker] Optimize authz checks in ServerCnx when authz is not enabled (#12067)
---
.../apache/pulsar/broker/service/ServerCnx.java | 38 +++++++++-------------
1 file changed, 16 insertions(+), 22 deletions(-)
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
index 8ce5f66..a7c96db 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
@@ -353,21 +353,18 @@ public class ServerCnx extends PulsarHandler implements TransportCnx {
// ////
private CompletableFuture<Boolean> isTopicOperationAllowed(TopicName topicName, TopicOperation operation) {
+ if (!service.isAuthorizationEnabled()) {
+ return CompletableFuture.completedFuture(true);
+ }
CompletableFuture<Boolean> isProxyAuthorizedFuture;
- CompletableFuture<Boolean> isAuthorizedFuture;
- if (service.isAuthorizationEnabled()) {
- if (originalPrincipal != null) {
- isProxyAuthorizedFuture = service.getAuthorizationService().allowTopicOperationAsync(
- topicName, operation, originalPrincipal, getAuthenticationData());
- } else {
- isProxyAuthorizedFuture = CompletableFuture.completedFuture(true);
- }
- isAuthorizedFuture = service.getAuthorizationService().allowTopicOperationAsync(
- topicName, operation, authRole, authenticationData);
+ if (originalPrincipal != null) {
+ isProxyAuthorizedFuture = service.getAuthorizationService().allowTopicOperationAsync(
+ topicName, operation, originalPrincipal, getAuthenticationData());
} else {
isProxyAuthorizedFuture = CompletableFuture.completedFuture(true);
- isAuthorizedFuture = CompletableFuture.completedFuture(true);
}
+ CompletableFuture<Boolean> isAuthorizedFuture = service.getAuthorizationService().allowTopicOperationAsync(
+ topicName, operation, authRole, authenticationData);
return isProxyAuthorizedFuture.thenCombine(isAuthorizedFuture, (isProxyAuthorized, isAuthorized) -> {
if (!isProxyAuthorized) {
log.warn("OriginalRole {} is not authorized to perform operation {} on topic {}",
@@ -1748,21 +1745,18 @@ public class ServerCnx extends PulsarHandler implements TransportCnx {
private CompletableFuture<Boolean> isNamespaceOperationAllowed(NamespaceName namespaceName,
NamespaceOperation operation) {
+ if (!service.isAuthorizationEnabled()) {
+ return CompletableFuture.completedFuture(true);
+ }
CompletableFuture<Boolean> isProxyAuthorizedFuture;
- CompletableFuture<Boolean> isAuthorizedFuture;
- if (service.isAuthorizationEnabled()) {
- if (originalPrincipal != null) {
- isProxyAuthorizedFuture = service.getAuthorizationService().allowNamespaceOperationAsync(
- namespaceName, operation, originalPrincipal, getAuthenticationData());
- } else {
- isProxyAuthorizedFuture = CompletableFuture.completedFuture(true);
- }
- isAuthorizedFuture = service.getAuthorizationService().allowNamespaceOperationAsync(
- namespaceName, operation, authRole, authenticationData);
+ if (originalPrincipal != null) {
+ isProxyAuthorizedFuture = service.getAuthorizationService().allowNamespaceOperationAsync(
+ namespaceName, operation, originalPrincipal, getAuthenticationData());
} else {
isProxyAuthorizedFuture = CompletableFuture.completedFuture(true);
- isAuthorizedFuture = CompletableFuture.completedFuture(true);
}
+ CompletableFuture<Boolean> isAuthorizedFuture = service.getAuthorizationService().allowNamespaceOperationAsync(
+ namespaceName, operation, authRole, authenticationData);
return isProxyAuthorizedFuture.thenCombine(isAuthorizedFuture, (isProxyAuthorized, isAuthorized) -> {
if (!isProxyAuthorized) {
log.warn("OriginalRole {} is not authorized to perform operation {} on namespace {}",