You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2019/11/21 10:12:52 UTC
[GitHub] [pulsar] Geal opened a new issue #5712: check super user status
through the authorization provider instead of the configuration file
Geal opened a new issue #5712: check super user status through the authorization provider instead of the configuration file
URL: https://github.com/apache/pulsar/issues/5712
**Is your feature request related to a problem? Please describe.**
Hello, I am building an authentication provider and an authorization provider, and I noticed that for some calls from pulsar-admin, the authorization provider is not called.
Examples:
- `pulsar-admin tenants list` returns "This operation requires super-user access"
- `pulsar-admin namespaces list <tenant>` returns "Don't have permission to administrate resources on this tenant"
- `pulsar-admin topics list <tenant>/<namespace>` returns `Don't have permission to administrate resources on this tenant`
In all 3 cases, I see from my logs that the authentication provider is called, but not the authorization provider:
```
10:58:08.631 [pulsar-web-31-12] INFO com.clevercloud.biscuitpulsar.BiscuitAuthenticationPlugin - deserialized token
10:58:08.632 [pulsar-web-31-12] INFO com.clevercloud.biscuitpulsar.BiscuitAuthenticationPlugin - checked root key
10:58:08.632 [pulsar-web-31-12] INFO com.clevercloud.biscuitpulsar.BiscuitAuthenticationPlugin - token deserialized and sealed
<-- Authorization plugin logs should appear here -->
10:58:08.643 [pulsar-web-31-12] INFO org.eclipse.jetty.server.RequestLog - 127.0.0.1 - - [21/Nov/2019:10:58:08 +0100] "GET /admin/v2/tenants HTTP/1.1" 401 54 "-" "Pulsar-Java-v2.4.1" 16
```
Apparently, in `PulsarWebResource.validateSuperUserAccess`, the superuser role is check through the authz service if we are using proxy roles: https://github.com/apache/pulsar/blob/37476bb7cfd6245193a14f7d2d78feae33396616/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java#L180-L202
if not, we will check the superuser roles from the configuration file: https://github.com/apache/pulsar/blob/37476bb7cfd6245193a14f7d2d78feae33396616/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java#L203-L204
Same thing in `PulsarWebResource.validateAdminAccessForTenant`: https://github.com/apache/pulsar/blob/37476bb7cfd6245193a14f7d2d78feae33396616/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java#L280-L288
**Describe the solution you'd like**
I propose replacing those configuration checks with a call to the authz service. I am testing the idea and will provide a pull request.
If the configuration has `authorizationEnabled=true` with the default authz provider `org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider`, this will not change the behaviour because the default `isSuperUser()` checks from the configuration file
https://github.com/apache/pulsar/blob/14d1eaa73e1479e403042da87ad34c7a35a304e2/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java#L44-L47
**Describe alternatives you've considered**
Using proxy roles would leverage the authz provider. But I think it would be more coherent to have everything go through the provider, instead of having special cases.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services