This is an automated email from the ASF dual-hosted git repository.
mattisonchao pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.9 by this push:
new 6ded1808110 [branch-2.9] [Authorization] Role with namespace produce
authz can also get topics. (#15740)
6ded1808110 is described below
commit 6ded18081101fd4bce8ce488f646c58b643f3ba7
Author: Qiang Zhao <[email protected]>
AuthorDate: Wed May 25 09:05:21 2022 +0800
[branch-2.9] [Authorization] Role with namespace produce authz can also get
topics. (#15740)
---
.../authorization/PulsarAuthorizationProvider.java | 35 ++++++++++++++++++++++
.../api/AuthorizationProducerConsumerTest.java | 5 ++++
2 files changed, 40 insertions(+)
diff --git
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
index d0884da7dc0..9aea1261cf2 100644
---
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
+++
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -542,6 +542,7 @@ public class PulsarAuthorizationProvider implements
AuthorizationProvider {
namespaceName, role, authData,
AuthAction.packages);
case GET_TOPIC:
case GET_TOPICS:
+ return
allowConsumeOrProduceOpsAsync(namespaceName, role, authData);
case UNSUBSCRIBE:
case CLEAR_BACKLOG:
return allowTheSpecifiedActionOpsAsync(
@@ -563,6 +564,40 @@ public class PulsarAuthorizationProvider implements
AuthorizationProvider {
});
}
+ private CompletableFuture<Boolean>
allowConsumeOrProduceOpsAsync(NamespaceName namespaceName,
+ String
role,
+
AuthenticationDataSource authenticationData) {
+ CompletableFuture<Boolean> finalResult = new CompletableFuture<>();
+ allowTheSpecifiedActionOpsAsync(namespaceName, role,
authenticationData, AuthAction.consume)
+ .whenComplete((consumeAuthorized, e) -> {
+ if (e == null) {
+ if (consumeAuthorized) {
+ finalResult.complete(consumeAuthorized);
+ return;
+ }
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug("Namespace [{}] Role [{}] exception
occurred while trying to check Consume "
+ + "permission. {}", namespaceName, role,
e.getCause());
+ }
+ }
+ allowTheSpecifiedActionOpsAsync(namespaceName, role,
authenticationData, AuthAction.produce)
+ .whenComplete((produceAuthorized, ex) -> {
+ if (ex == null) {
+ finalResult.complete(produceAuthorized);
+ } else {
+ if (log.isDebugEnabled()) {
+ log.debug("Namespace [{}] Role [{}]
exception occurred while trying to check "
+ + "Produce permission. {}",
namespaceName, role, ex.getCause());
+ }
+
finalResult.completeExceptionally(ex.getCause());
+ }
+ });
+ });
+
+ return finalResult;
+ }
+
@Override
public CompletableFuture<Boolean>
allowNamespacePolicyOperationAsync(NamespaceName namespaceName,
PolicyName policy,
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index 62aa429436d..dcfb16c92de 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -432,6 +432,11 @@ public class AuthorizationProducerConsumerTest extends
ProducerConsumerBase {
assertEquals(sub1Admin.topics().getStats(topicName +
"-partition-0").getSubscriptions()
.get(subscriptionName).getMsgBacklog(), 0);
+ superAdmin.namespaces().revokePermissionsOnNamespace(namespace,
subscriptionRole);
+ superAdmin.namespaces().grantPermissionOnNamespace(namespace,
subscriptionRole,
+ Sets.newHashSet(AuthAction.produce));
+ assertEquals(sub1Admin.topics().getPartitionedTopicList(namespace),
+ Lists.newArrayList(topicName));
log.info("-- Exiting {} test --", methodName);
}
