You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by rg...@apache.org on 2022/05/11 05:22:16 UTC
[pulsar] branch branch-2.10 updated: [Authorization] Role with namespace produce authz can also get topics (#13773)
This is an automated email from the ASF dual-hosted git repository.
rgao pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.10 by this push:
new b172fc817e1 [Authorization] Role with namespace produce authz can also get topics (#13773)
b172fc817e1 is described below
commit b172fc817e13d02d48d90367ebe434e57fda3fdf
Author: Ruguo Yu <ji...@163.com>
AuthorDate: Wed Mar 2 16:57:11 2022 +0800
[Authorization] Role with namespace produce authz can also get topics (#13773)
(cherry picked from commit 89d60af1981f732b68fe783666bcc470c18afd32)
---
.../authorization/PulsarAuthorizationProvider.java | 35 ++++++++++++++++++++++
.../api/AuthorizationProducerConsumerTest.java | 6 ++++
2 files changed, 41 insertions(+)
diff --git a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
index 5cba6895a22..1ad8fbe3e09 100644
--- a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
+++ b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -228,6 +228,40 @@ public class PulsarAuthorizationProvider implements AuthorizationProvider {
return allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.sinks);
}
+ private CompletableFuture<Boolean> allowConsumeOrProduceOpsAsync(NamespaceName namespaceName,
+ String role,
+ AuthenticationDataSource authenticationData) {
+ CompletableFuture<Boolean> finalResult = new CompletableFuture<>();
+ allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.consume)
+ .whenComplete((consumeAuthorized, e) -> {
+ if (e == null) {
+ if (consumeAuthorized) {
+ finalResult.complete(consumeAuthorized);
+ return;
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug("Namespace [{}] Role [{}] exception occurred while trying to check Consume "
+ + "permission. {}", namespaceName, role, e.getCause());
+ }
+ }
+ allowTheSpecifiedActionOpsAsync(namespaceName, role, authenticationData, AuthAction.produce)
+ .whenComplete((produceAuthorized, ex) -> {
+ if (ex == null) {
+ finalResult.complete(produceAuthorized);
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug("Namespace [{}] Role [{}] exception occurred while trying to check "
+ + "Produce permission. {}", namespaceName, role, ex.getCause());
+ }
+ finalResult.completeExceptionally(ex.getCause());
+ }
+ });
+ });
+
+ return finalResult;
+ }
+
private CompletableFuture<Boolean> allowTheSpecifiedActionOpsAsync(NamespaceName namespaceName, String role,
AuthenticationDataSource authenticationData,
AuthAction authAction) {
@@ -550,6 +584,7 @@ public class PulsarAuthorizationProvider implements AuthorizationProvider {
namespaceName, role, authData, AuthAction.packages);
case GET_TOPIC:
case GET_TOPICS:
+ return allowConsumeOrProduceOpsAsync(namespaceName, role, authData);
case UNSUBSCRIBE:
case CLEAR_BACKLOG:
return allowTheSpecifiedActionOpsAsync(
diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index d140da2fca3..00faf964bf7 100644
--- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -454,6 +454,12 @@ public class AuthorizationProducerConsumerTest extends ProducerConsumerBase {
assertEquals(sub1Admin.topics().getStats(topicName + "-partition-0").getSubscriptions()
.get(subscriptionName).getMsgBacklog(), 0);
+ superAdmin.namespaces().revokePermissionsOnNamespace(namespace, subscriptionRole);
+ superAdmin.namespaces().grantPermissionOnNamespace(namespace, subscriptionRole,
+ Sets.newHashSet(AuthAction.produce));
+ assertEquals(sub1Admin.topics().getPartitionedTopicList(namespace),
+ Lists.newArrayList(topicName));
+
log.info("-- Exiting {} test --", methodName);
}