You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/07/13 12:57:31 UTC

[GitHub] [pulsar] acortes-okode opened a new issue, #16574: MultiRolesTokenAuthorizationProvider only authorizes first role (at least for superuser)

acortes-okode opened a new issue, #16574:
URL: https://github.com/apache/pulsar/issues/16574

   First of all, thank you all for your work! This seems an amazing tool and thats why I am looking into it to use it as a domain event bus for my application.
   
   **Describe the bug**
   I'm setting JWT token authentication/authorization with multiple roles and using org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider in order to check for 'superuser' role in the list of roles that the JWT token has. It only works if the first role of the list is the 'superuser' one but do not work if there are other roles first.
   
   I have not tested this with other roles applied on tenants or namespaces yet because of time but I may do It in the following days. Anyway, it seems is a common issue for any role but I'm not sure why this is happening viewing the code of AuthorizationProvider and related classes.
   
   **To Reproduce**
   I am building a more complex environment using Docker Swarm but for this kind of problem I have set a standalone configuration to reproduce it.
   
   I have followed the steps on [https://pulsar.apache.org/ja/docs/standalone/](https://pulsar.apache.org/ja/docs/standalone/) with version `2.10.1` and modified the `standalone.conf` in order to set up JWT authentication/authorization following:
   
   - https://pulsar.apache.org/docs/security-jwt
   - https://pulsar.apache.org/docs/security-authorization#authorize-an-authenticated-client-with-multiple-roles
   
   Following are the properties I have modified on `standalone.conf` file:
   ```
   # Enable authentication
   authenticationEnabled=true
   
   # Authentication provider name list, which is comma separated list of class names
   authenticationProviders=org.apache.pulsar.broker.authentication.AuthenticationProviderToken
   
   # Enforce authorization
   authorizationEnabled=true
   
   # Authorization provider fully qualified class-name
   authorizationProvider=org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider
   
   superUserRoles=superuser
   
   brokerClientAuthenticationPlugin=org.apache.pulsar.client.impl.auth.AuthenticationToken
   brokerClientAuthenticationParameters={"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlcyI6WyJzdXBlcnVzZXIiLCJ0ZXN0Il19.fwFySHYsYES_j4ggOwShLJFsYiLBP9Ng0note_bex8Q"}
   
   tokenSecretKey=data:;base64,dGVzdHNlY3JldFRvb29Mb29vb25nVG9CZVJlbWVtYmVyZWRGb3JUaGVTYWtlT2ZTaW1wbGljaXR5VW5leHBlY3RlZFdoYXRldmVyMQ==
   
   tokenAuthClaim=roles
   ```
   
   When I launch the standalone server using `bin/pulsar standalone` command and I try to access `http://localhost:8080/admin/v2/brokers/configuration` I get 401 error response as expected:
   ```sh
   curl "http://localhost:8080/admin/v2/brokers/configuration"
   
   <html>
   <head>
   <meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
   <title>Error 401 Authentication required</title>
   </head>
   <body><h2>HTTP ERROR 401 Authentication required</h2>
   <table>
   <tr><th>URI:</th><td>/admin/v2/brokers/configuration</td></tr>
   <tr><th>STATUS:</th><td>401</td></tr>
   <tr><th>MESSAGE:</th><td>Authentication required</td></tr>
   <tr><th>SERVLET:</th><td>org.glassfish.jersey.servlet.ServletContainer-5ab2c5d8</td></tr>
   </table>
   <hr/><a href="https://eclipse.org/jetty">Powered by Jetty:// 9.4.44.v20210927</a><hr/>
   
   </body>
   </html>
   ```
   
   If I build a JWT token with this claims:
   ```json
   "roles": [
       "superuser",
       "test"
     ]
   ```
   
   I get a successful response, as expected:
   ```sh
   curl "http://localhost:8080/admin/v2/brokers/configuration" \
   -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlcyI6WyJzdXBlcnVzZXIiLCJ0ZXN0Il19.fwFySHYsYES_j4ggOwShLJFsYiLBP9Ng0note_bex8Q"
   
   ["loadBalancerMemoryResourceWeight","ma.....
   ```
   
   But, if I generate a JWT token with a change in the ordering:
   ```json
   "roles": [
       "test",
       "superuser"
     ]
   ```
   
   I get an unauthorized response:
   ```sh
   curl "http://localhost:8080/admin/v2/brokers/configuration" \
   -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJyb2xlcyI6WyJ0ZXN0Iiwic3VwZXJ1c2VyIl19.Xz1gplVyg0MwTCobMlyKCu_xBLmMGCKYsTrvUyj9kL4"
   
   {"reason":"This operation requires super-user access"}
   ```
   
   **Expected behavior**
   Setting `org.apache.pulsar.broker.authorization.MultiRolesTokenAuthorizationProvider` as the AuthorizationProvider with token authentication should authorize requests if the JWT token contains any of the `superUserRoles` in its `tokenAuthClaim` list.
   
   **Desktop (please complete the following information):**
    - OS: macOS Monterey
    - Hardware: Mac mini (M1, 2020), Apple M1, 16GB
    On the Docker Swarm environment it is also reproducible and is on a x86_64 architecture with Ubuntu Server 18.04 LTS.
   
   Thanks for your time!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on issue #16574: MultiRolesTokenAuthorizationProvider only authorizes first role (at least for superuser)

Posted by GitBox <gi...@apache.org>.
nodece commented on issue #16574:
URL: https://github.com/apache/pulsar/issues/16574#issuecomment-1187576502

   Well, thank you for telling me it works!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on issue #16574: MultiRolesTokenAuthorizationProvider only authorizes first role (at least for superuser)

Posted by GitBox <gi...@apache.org>.
nodece commented on issue #16574:
URL: https://github.com/apache/pulsar/issues/16574#issuecomment-1185429256

   Thanks for your report, your are right! We need to submit a patch to fix this issue.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nodece commented on issue #16574: MultiRolesTokenAuthorizationProvider only authorizes first role (at least for superuser)

Posted by GitBox <gi...@apache.org>.
nodece commented on issue #16574:
URL: https://github.com/apache/pulsar/issues/16574#issuecomment-1186861510

   I submitted https://github.com/apache/pulsar/pull/16645 to fix this issue, could you review this PR?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] acortes-okode commented on issue #16574: MultiRolesTokenAuthorizationProvider only authorizes first role (at least for superuser)

Posted by GitBox <gi...@apache.org>.
acortes-okode commented on issue #16574:
URL: https://github.com/apache/pulsar/issues/16574#issuecomment-1187360342

   Hi again,
   
   It's my first time making such things so I'm not sure if you are telling me to review the PR since it seems I do not have the `write` access that this PR needs for me to review it (and there are also 4 people requested as reviewers).
   
   Anyway, I have seen the changes and it looks good to me, I've also checked out the code, build it and test it and It worked as expected.
   
   Thank you very much!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Technoboy- closed issue #16574: MultiRolesTokenAuthorizationProvider only authorizes first role (at least for superuser)

Posted by GitBox <gi...@apache.org>.
Technoboy- closed issue #16574: MultiRolesTokenAuthorizationProvider only authorizes first role (at least for superuser)
URL: https://github.com/apache/pulsar/issues/16574


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org