You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@rocketmq.apache.org by GitBox <gi...@apache.org> on 2019/03/15 03:49:33 UTC

[GitHub] [rocketmq] haoforliu opened a new issue #1090: 关于ACL权限的一些问题

haoforliu opened a new issue #1090: 关于ACL权限的一些问题
URL: https://github.com/apache/rocketmq/issues/1090
 
 
   背景:不使用白名单验证。让用户对所有主题都有ANY权限。不考虑重试主题!
     void checkPerm(PlainAccessResource needCheckedAccess, PlainAccessResource ownedAccess) {
           if (Permission.needAdminPerm(needCheckedAccess.getRequestCode()) && !ownedAccess.isAdmin()) {
               throw new AclException(String.format("Need admin permission for request code=%d, but accessKey=%s is not", needCheckedAccess.getRequestCode(), ownedAccess.getAccessKey()));
           }
           Map<String, Byte> needCheckedPermMap = needCheckedAccess.getResourcePermMap();
           Map<String, Byte> ownedPermMap = ownedAccess.getResourcePermMap();
   
           if (needCheckedPermMap == null) {
               // If the needCheckedPermMap is null,then return
               return;
           }
   
           for (Map.Entry<String, Byte> needCheckedEntry : needCheckedPermMap.entrySet()) {
               String resource = needCheckedEntry.getKey();
               Byte neededPerm = needCheckedEntry.getValue();
               boolean isGroup = PlainAccessResource.isRetryTopic(resource);
   
               if (!ownedPermMap.containsKey(resource)) {
                   // Check the default perm
                   byte ownedPerm = isGroup ? needCheckedAccess.getDefaultGroupPerm() :
                       needCheckedAccess.getDefaultTopicPerm();
                   if (!Permission.checkPermission(neededPerm, ownedPerm)) {
                       throw new AclException(String.format("No default permission for %s", PlainAccessResource.printStr(resource, isGroup)));
                   }
                   continue;
               }
               if (!Permission.checkPermission(neededPerm, ownedPermMap.get(resource))) {
                   throw new AclException(String.format("No default permission for %s", PlainAccessResource.printStr(resource, isGroup)));
               }
           }
       }
   问题一:
     在上诉代码中ownedPermMap不能为空,否则抛空指针,这就是说配置文件中一定要有topicPerms不能为空。这里是否需要改进?
   问题二:
     假设问题一不存在,但是ownedPermMap中不包含需要验证的Topic。
     因为ownedPerm的值一定是1,所以Permission.checkPermission(neededPerm, ownedPerm)=false,导致一定会抛异常。
     造成问题二的原因是,在构造needCheckedAccess时,defaultTopicPerm是1。但是我怀疑是不是代码有误,byte ownedPerm = isGroup ? needCheckedAccess.getDefaultGroupPerm() :
                       needCheckedAccess.getDefaultTopicPerm();是不是应该改为
   byte ownedPerm = isGroup ? ownedAccess.getDefaultGroupPerm() :
                       ownedAccess.getDefaultTopicPerm();才是正确的逻辑,不然默认用户的默认权限设置了页没用上啊!
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services