You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2022/05/09 08:29:38 UTC

[GitHub] [pulsar] Technoboy- opened a new pull request, #15501: Fix grant all permissions but can't list topic.

Technoboy- opened a new pull request, #15501:
URL: https://github.com/apache/pulsar/pull/15501

   Fixes #14191
   
   Master Issue: #14191
   
   ### Motivation
   As #14191 described, users may get confused about the current permission.
   First, we only define the below actions in the grant-permission interface:
   ```
   produce,consume,sources,sinks,functions,packages
   ```
   Though we grant all the actions to some roles like below (`myuser` is not admin, only a normal user):
   ```
   $ pulsar-admin namespaces grant-permission public/default --role myuser --actions produce,consume,sources,sinks,functions,packages
   ```
   But when we list topics under a namespace:
   ```
   $ pulsar-admin --admin-url https://dev.pulsar.xyz.com:8081 --auth-plugin "org.apache.pulsar.client.impl.auth.AuthenticationToken" --auth-params "token:<token>" topics list public/default
   ```
   We will get the below error message :
   ```
   HTTP 403 : Unauthorized to validateNamespaceOperation for operation [GET_BUNDLE] on namespace [mytenant/np1]
   ```
   
   Because when listing topics, we will search all the topics including non-persistent topics which will validate `GET_BUNDLE` operation, but we don't have this `action` in auth action, and it's not good to add to `AuthAction`, for it's duplicate with `NamespaceOperation`. So we'd better map this to `consume` operation to solve the problem.
   
   
   ### Documentation
     
   - [x] `no-need-doc` 
   (Please explain why)
     
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] nicoloboschi commented on pull request #15501: [fix][security] Fix grant all permissions but can't list topic.

Posted by GitBox <gi...@apache.org>.

nicoloboschi commented on PR #15501:
URL: https://github.com/apache/pulsar/pull/15501#issuecomment-1121170168

   @Technoboy- the patch doesn't apply cleanly to 2.10. Would you mind to provide it in another pull?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] github-actions[bot] commented on pull request #15501: [fix][security] Fix grant all permissions but can't list topic.

Posted by GitBox <gi...@apache.org>.

github-actions[bot] commented on PR #15501:
URL: https://github.com/apache/pulsar/pull/15501#issuecomment-1120803818

   @Technoboy-:Thanks for your contribution. For this PR, do we need to update docs?
   (The [PR template contains info about doc](https://github.com/apache/pulsar/blob/master/.github/PULL_REQUEST_TEMPLATE.md#documentation), which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] BewareMyPower commented on pull request #15501: [fix][security] Fix grant all permissions but can't list topic.

Posted by GitBox <gi...@apache.org>.

BewareMyPower commented on PR #15501:
URL: https://github.com/apache/pulsar/pull/15501#issuecomment-1195223976

   @Technoboy- Could you create another PR to migrate this PR to branch-2.8? The `allowNamespaceOperationAsync` method is very different in branch-2.8.
   
   
   https://github.com/apache/pulsar/blob/bb8c9456da44877f5ffba9aaeecb99b354209014/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L530-L555
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] codelipenghui merged pull request #15501: [fix][security] Fix grant all permissions but can't list topic.

Posted by GitBox <gi...@apache.org>.

codelipenghui merged PR #15501:
URL: https://github.com/apache/pulsar/pull/15501


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [pulsar] Technoboy- commented on pull request #15501: [fix][security] Fix grant all permissions but can't list topic.

Posted by GitBox <gi...@apache.org>.

Technoboy- commented on PR #15501:
URL: https://github.com/apache/pulsar/pull/15501#issuecomment-1121272068

   > @Technoboy- the patch doesn't apply cleanly to 2.10. Would you mind to provide it in another pull?
   
   Ok.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org