You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2018/02/07 01:55:17 UTC
[incubator-pulsar] branch master updated: Fix for memory leak in
Proxy roles enforcement (#1192)
This is an automated email from the ASF dual-hosted git repository.
mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new 27117f2 Fix for memory leak in Proxy roles enforcement (#1192)
27117f2 is described below
commit 27117f23034c41142321af42f36dc31e8a15df9e
Author: Jai Asher <ja...@ccs.neu.edu>
AuthorDate: Tue Feb 6 17:55:15 2018 -0800
Fix for memory leak in Proxy roles enforcement (#1192)
* Fix for Bufferleaks in ServerCnx.java due to ProxyRolesEnforcement
* Added soome comments
* Changed newLookupResponse to correct newPartitionMetadataResponse
---
.../apache/pulsar/broker/service/ServerCnx.java | 63 +++++++++++-----------
1 file changed, 32 insertions(+), 31 deletions(-)
diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
index 0f0cd6d..efa3ed9 100644
--- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
+++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
@@ -187,17 +187,15 @@ public class ServerCnx extends PulsarHandler {
ctx.close();
}
- private boolean validateOriginalPrincipal(String originalPrincipal, ByteBuf errorResponse, String topicName,
- String msg) {
- if (service.isAuthenticationEnabled() && service.isAuthorizationEnabled() && proxyRoles.contains(authRole)
- && (StringUtils.isBlank(originalPrincipal) || proxyRoles.contains(originalPrincipal))) {
- log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole,
- originalPrincipal, topicName);
- ctx.writeAndFlush(errorResponse);
- return false;
- }
-
- return true;
+ /*
+ * If authentication and authorization is enabled and if the authRole is one of proxyRoles we want to enforce
+ * - the originalPrincipal is given while connecting
+ * - originalPrincipal is not blank
+ * - originalPrincipal is not a proxy principal
+ */
+ private boolean invalidOriginalPrincipal(String originalPrincipal) {
+ return (service.isAuthenticationEnabled() && service.isAuthorizationEnabled() && proxyRoles.contains(authRole)
+ && (StringUtils.isBlank(originalPrincipal) || proxyRoles.contains(originalPrincipal)));
}
// ////
@@ -221,10 +219,11 @@ public class ServerCnx extends PulsarHandler {
if (lookupSemaphore.tryAcquire()) {
final String originalPrincipal = lookup.hasOriginalPrincipal() ? lookup.getOriginalPrincipal()
: this.originalPrincipal;
- if (!validateOriginalPrincipal(originalPrincipal,
- newLookupErrorResponse(ServerError.AuthorizationError,
- "Valid Proxy Client role should be provided for lookup ", requestId),
- topicName.toString(), "Valid Proxy Client role should be provided for lookup ")) {
+ if (invalidOriginalPrincipal(originalPrincipal)) {
+ final String msg = "Valid Proxy Client role should be provided for lookup ";
+ log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole,
+ originalPrincipal, topicName);
+ ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, requestId));
lookupSemaphore.release();
return;
}
@@ -293,11 +292,12 @@ public class ServerCnx extends PulsarHandler {
if (lookupSemaphore.tryAcquire()) {
final String originalPrincipal = partitionMetadata.hasOriginalPrincipal()
? partitionMetadata.getOriginalPrincipal() : this.originalPrincipal;
- if (!validateOriginalPrincipal(originalPrincipal,
- Commands.newPartitionMetadataResponse(ServerError.AuthorizationError,
- "Valid Proxy Client role should be provided for getPartitionMetadataRequest ", requestId),
- topicName.toString(),
- "Valid Proxy Client role should be provided for getPartitionMetadataRequest ")) {
+ if (invalidOriginalPrincipal(originalPrincipal)) {
+ final String msg = "Valid Proxy Client role should be provided for getPartitionMetadataRequest ";
+ log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole,
+ originalPrincipal, topicName);
+ ctx.writeAndFlush(Commands.newPartitionMetadataResponse(ServerError.AuthorizationError,
+ msg, requestId));
lookupSemaphore.release();
return;
}
@@ -346,7 +346,7 @@ public class ServerCnx extends PulsarHandler {
}).exceptionally(ex -> {
final String msg = "Exception occured while trying to authorize get Partition Metadata";
log.warn("[{}] {} with role {} on topic {}", remoteAddress, msg, authRole, topicName);
- ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, requestId));
+ ctx.writeAndFlush(Commands.newPartitionMetadataResponse(ServerError.AuthorizationError, msg, requestId));
lookupSemaphore.release();
return null;
});
@@ -461,16 +461,16 @@ public class ServerCnx extends PulsarHandler {
checkArgument(state == State.Connected);
final long requestId = subscribe.getRequestId();
final long consumerId = subscribe.getConsumerId();
-
DestinationName topicName = validateTopicName(subscribe.getTopic(), requestId, subscribe);
if (topicName == null) {
return;
- }
+ }
- if (!validateOriginalPrincipal(originalPrincipal,
- Commands.newError(requestId, ServerError.AuthorizationError,
- "Valid Proxy Client role should be provided while subscribing "),
- topicName.toString(), "Valid Proxy Client role should be provided while subscribing ")) {
+ if (invalidOriginalPrincipal(originalPrincipal)) {
+ final String msg = "Valid Proxy Client role should be provided while subscribing ";
+ log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole,
+ originalPrincipal, topicName);
+ ctx.writeAndFlush(Commands.newError(requestId, ServerError.AuthorizationError, msg));
return;
}
@@ -636,10 +636,11 @@ public class ServerCnx extends PulsarHandler {
return;
}
- if (!validateOriginalPrincipal(originalPrincipal,
- Commands.newError(requestId, ServerError.AuthorizationError,
- "Valid Proxy Client role should be provided while creating producer "),
- topicName.toString(), "Valid Proxy Client role should be provided while creating producer ")) {
+ if (invalidOriginalPrincipal(originalPrincipal)) {
+ final String msg = "Valid Proxy Client role should be provided while creating producer ";
+ log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole,
+ originalPrincipal, topicName);
+ ctx.writeAndFlush(Commands.newError(requestId, ServerError.AuthorizationError, msg));
return;
}
--
To stop receiving notification emails like this one, please contact
mmerli@apache.org.