You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2019/05/27 03:32:26 UTC

[GitHub] [pulsar] zymap opened a new issue #4384: [Web Service] Error code

zymap opened a new issue #4384: [Web Service] Error code
URL: https://github.com/apache/pulsar/issues/4384
 
 
   **Describe the bug**
   A clear and concise description of what the bug is.
   
   ```
   protected void validateSuperUserAccess() {
           if (config().isAuthenticationEnabled()) {
               String appId = clientAppId();
               if(log.isDebugEnabled()) {
                   log.debug("[{}] Check super user access: Authenticated: {} -- Role: {}", uri.getRequestUri(),
                           isClientAuthenticated(appId), appId);
               }
               String originalPrincipal = originalPrincipal();
               validateOriginalPrincipal(pulsar.getConfiguration().getProxyRoles(), appId, originalPrincipal);
   
               if (pulsar.getConfiguration().getProxyRoles().contains(appId)) {
   
                   CompletableFuture<Boolean> proxyAuthorizedFuture;
                   CompletableFuture<Boolean> originalPrincipalAuthorizedFuture;
   
                   try {
                       proxyAuthorizedFuture = pulsar.getBrokerService()
                               .getAuthorizationService()
                               .isSuperUser(appId);
   
                       originalPrincipalAuthorizedFuture = pulsar.getBrokerService()
                               .getAuthorizationService()
                               .isSuperUser(originalPrincipal);
   
                       if (!proxyAuthorizedFuture.get() || !originalPrincipalAuthorizedFuture.get()) {
                           throw new RestException(Status.UNAUTHORIZED,
                                   String.format("Proxy not authorized for super-user operation (proxy:%s,original:%s)",
                                                 appId, originalPrincipal));
                       }
                   } catch (InterruptedException | ExecutionException e) {
                       throw new RestException(Status.INTERNAL_SERVER_ERROR, e.getMessage());
                   }
                   log.debug("Successfully authorized {} (proxied by {}) as super-user",
                             originalPrincipal, appId);
               } else if (!config().getSuperUserRoles().contains(appId)) {
                   throw new RestException(Status.UNAUTHORIZED, "This operation requires super-user access");
               }
           }
       }
   ```
   
   This code is validate whether the user have permission for request content. I think it's more better return as 403. It just haven't permission to access the content. What do you think about this?
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services