[GitHub] [pulsar] BewareMyPower commented on pull request #16201: [fix][broker] Fix passing incorrect authentication data

Mon, 27 Jun 2022 22:41:05 -0700 


BewareMyPower commented on PR #16201:
URL: https://github.com/apache/pulsar/pull/16201#issuecomment-1168249833

   Actually I think the logic is not clear. The key point is that both 
`originalAuthData` and `authenticationData` might be used in 
`isProxyAuthorizedFuture`, but `authenticationData` is always used in 
`isAuthorizedFuture`.
   
   What do you think of my following code?
   
   ```java
       private CompletableFuture<Boolean> 
isTopicOperationAllowedByProxy(TopicName topicName, TopicOperation operation,
                                                                         String 
subscription) {
           if (originalPrincipal != null) {
               final AuthenticationDataSource authenticationDataSource = 
(subscription == null)
                       ? getAuthenticationData()
                       : new 
AuthenticationDataSubscription(getAuthenticationData(), subscription);
               return 
service.getAuthorizationService().allowTopicOperationAsync(
                       topicName, operation, originalPrincipal, 
authenticationDataSource);
           } else {
               return CompletableFuture.completedFuture(true);
           }
       }
   
       private CompletableFuture<Boolean> 
isTopicOperationAllowedByBroker(TopicName topicName, TopicOperation operation,
                                                                          
String subscription) {
           final AuthenticationDataSource authenticationDataSource = 
(subscription == null)
                   ? getAuthenticationData()
                   : new AuthenticationDataSubscription(authenticationData, 
subscription);
           return service.getAuthorizationService()
                   .allowTopicOperationAsync(topicName, operation, authRole, 
authenticationDataSource);
       }
   
       private CompletableFuture<Boolean> isTopicOperationAllowed(TopicName 
topicName, TopicOperation operation,
                                                                  String 
subscription) {
           if (!service.isAuthorizationEnabled()) {
               return CompletableFuture.completedFuture(true);
           }
           return isTopicOperationAllowedByProxy(topicName, operation, 
subscription)
                   .thenCombine(isTopicOperationAllowedByBroker(topicName, 
operation, subscription),
                           (isProxyAuthorized, isAuthorized) -> {
                               /* ... */
                               return isProxyAuthorized && isAuthorized;
                           });
       }
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to