You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/03/18 13:44:11 UTC
[GitHub] [pulsar] eolivelli commented on a change in pull request #14747: [cleanup][broker]: Refactor PulsarAuthorizationProvider.
eolivelli commented on a change in pull request #14747:
URL: https://github.com/apache/pulsar/pull/14747#discussion_r829981461
##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
##########
@@ -231,185 +184,149 @@ public void initialize(ServiceConfiguration conf, PulsarResources pulsarResource
private CompletableFuture<Boolean> allowConsumeOrProduceOpsAsync(NamespaceName namespaceName,
String role,
AuthenticationDataSource authenticationData) {
- CompletableFuture<Boolean> finalResult = new CompletableFuture<>();
- allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.consume)
- .whenComplete((consumeAuthorized, e) -> {
- if (e == null) {
- if (consumeAuthorized) {
- finalResult.complete(consumeAuthorized);
- return;
- }
- } else {
- if (log.isDebugEnabled()) {
- log.debug("Namespace [{}] Role [{}] exception occurred while trying to check Consume "
- + "permission. {}", namespaceName, role, e.getCause());
- }
+ return allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.consume)
+ .thenCompose(canConsumer -> {
+ if (canConsumer) {
+ return CompletableFuture.completedFuture(true);
}
- allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.produce)
- .whenComplete((produceAuthorized, ex) -> {
- if (ex == null) {
- finalResult.complete(produceAuthorized);
- } else {
- if (log.isDebugEnabled()) {
- log.debug("Namespace [{}] Role [{}] exception occurred while trying to check "
- + "Produce permission. {}", namespaceName, role, ex.getCause());
- }
- finalResult.completeExceptionally(ex.getCause());
- }
- });
+ return allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.produce);
});
-
- return finalResult;
}
private CompletableFuture<Boolean> allowTheSpecifiedActionOpsAsync(NamespaceName namespaceName, String role,
AuthenticationDataSource authenticationData,
AuthAction authAction) {
- CompletableFuture<Boolean> permissionFuture = new CompletableFuture<>();
- try {
- pulsarResources.getNamespaceResources().getPoliciesAsync(namespaceName).thenAccept(policies -> {
- if (!policies.isPresent()) {
- if (log.isDebugEnabled()) {
- log.debug("Policies node couldn't be found for namespace : {}", namespaceName);
- }
- } else {
- Map<String, Set<AuthAction>> namespaceRoles = policies.get()
- .auth_policies.getNamespaceAuthentication();
- Set<AuthAction> namespaceActions = namespaceRoles.get(role);
- if (namespaceActions != null && namespaceActions.contains(authAction)) {
- // The role has namespace level permission
- permissionFuture.complete(true);
- return;
- }
+ return pulsarResources.getNamespaceResources().getPoliciesAsync(namespaceName).thenApply(policies -> {
+ if (!policies.isPresent()) {
+ if (log.isDebugEnabled()) {
+ log.debug("Policies node couldn't be found for namespace : {}", namespaceName);
+ }
+ } else {
+ Map<String, Set<AuthAction>> namespaceRoles = policies.get()
+ .auth_policies.getNamespaceAuthentication();
Review comment:
I believe that we could think more about this objects (like auth_policies here) that can be null
##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
##########
@@ -106,63 +104,41 @@ public void initialize(ServiceConfiguration conf, PulsarResources pulsarResource
@Override
public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role,
AuthenticationDataSource authenticationData, String subscription) {
- CompletableFuture<Boolean> permissionFuture = new CompletableFuture<>();
- try {
- pulsarResources.getNamespaceResources().getPoliciesAsync(topicName.getNamespaceObject())
- .thenAccept(policies -> {
- if (!policies.isPresent()) {
- if (log.isDebugEnabled()) {
- log.debug("Policies node couldn't be found for topic : {}", topicName);
- }
- } else {
- if (isNotBlank(subscription)) {
- // validate if role is authorize to access subscription. (skip validatation if authorization
- // list is empty)
- Set<String> roles = policies.get().auth_policies
- .getSubscriptionAuthentication().get(subscription);
- if (roles != null && !roles.isEmpty() && !roles.contains(role)) {
- log.warn("[{}] is not authorized to subscribe on {}-{}", role, topicName, subscription);
- permissionFuture.complete(false);
- return;
+ return pulsarResources.getNamespaceResources().getPoliciesAsync(topicName.getNamespaceObject())
+ .thenCompose(policies -> {
+ if (!policies.isPresent()) {
+ if (log.isDebugEnabled()) {
+ log.debug("Policies node couldn't be found for topic : {}", topicName);
}
+ } else {
+ if (isNotBlank(subscription)) {
+ // validate if role is authorize to access subscription. (skip validatation if authorization
+ // list is empty)
+ Set<String> roles = policies.get().auth_policies
+ .getSubscriptionAuthentication().get(subscription);
+ if (roles != null && !roles.isEmpty() && !roles.contains(role)) {
+ log.warn("[{}] is not authorized to subscribe on {}-{}", role, topicName, subscription);
+ return CompletableFuture.completedFuture(false);
+ }
- // validate if subscription-auth mode is configured
- switch (policies.get().subscription_auth_mode) {
- case Prefix:
- if (!subscription.startsWith(role)) {
- PulsarServerException ex = new PulsarServerException(String.format(
- "Failed to create consumer - The subscription name needs to be prefixed by the "
- + "authentication role, like %s-xxxx for topic: %s", role, topicName));
- permissionFuture.completeExceptionally(ex);
- return;
+ // validate if subscription-auth mode is configured
+ switch (policies.get().subscription_auth_mode) {
Review comment:
this `subscription_auth_mode` may be null
##########
File path: pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
##########
@@ -106,63 +104,41 @@ public void initialize(ServiceConfiguration conf, PulsarResources pulsarResource
@Override
public CompletableFuture<Boolean> canConsumeAsync(TopicName topicName, String role,
AuthenticationDataSource authenticationData, String subscription) {
- CompletableFuture<Boolean> permissionFuture = new CompletableFuture<>();
- try {
- pulsarResources.getNamespaceResources().getPoliciesAsync(topicName.getNamespaceObject())
- .thenAccept(policies -> {
- if (!policies.isPresent()) {
- if (log.isDebugEnabled()) {
- log.debug("Policies node couldn't be found for topic : {}", topicName);
- }
- } else {
- if (isNotBlank(subscription)) {
- // validate if role is authorize to access subscription. (skip validatation if authorization
- // list is empty)
- Set<String> roles = policies.get().auth_policies
- .getSubscriptionAuthentication().get(subscription);
- if (roles != null && !roles.isEmpty() && !roles.contains(role)) {
- log.warn("[{}] is not authorized to subscribe on {}-{}", role, topicName, subscription);
- permissionFuture.complete(false);
- return;
+ return pulsarResources.getNamespaceResources().getPoliciesAsync(topicName.getNamespaceObject())
+ .thenCompose(policies -> {
+ if (!policies.isPresent()) {
+ if (log.isDebugEnabled()) {
+ log.debug("Policies node couldn't be found for topic : {}", topicName);
}
+ } else {
+ if (isNotBlank(subscription)) {
+ // validate if role is authorize to access subscription. (skip validatation if authorization
+ // list is empty)
+ Set<String> roles = policies.get().auth_policies
Review comment:
this `auth_policies` may be null
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org