[GitHub] [pulsar] Technoboy- commented on a diff in pull request #16645: [fix][authorization] Fix multiple roles authorization

[GitBox]

Technoboy- commented on code in PR #16645:
URL: https://github.com/apache/pulsar/pull/16645#discussion_r928598325


##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java:
##########
@@ -80,58 +86,112 @@ public void initialize(ServiceConfiguration conf, 
PulsarResources pulsarResource
         super.initialize(conf, pulsarResources);
     }
 
-    private List<String> getRoles(AuthenticationDataSource authData) {
+    @Override
+    public CompletableFuture<Boolean> isSuperUser(String role, 
AuthenticationDataSource authenticationData,
+                                                  ServiceConfiguration 
serviceConfiguration) {
+        Set<String> roles = getRoles(authenticationData);
+        if (roles.isEmpty()) {
+            return CompletableFuture.completedFuture(false);
+        }
+        Set<String> superUserRoles = serviceConfiguration.getSuperUserRoles();
+        if (superUserRoles.isEmpty()) {
+            return CompletableFuture.completedFuture(false);
+        }
+
+        return 
CompletableFuture.completedFuture(roles.stream().anyMatch(superUserRoles::contains));
+    }
+
+    @Override
+    public CompletableFuture<Boolean> validateTenantAdminAccess(String 
tenantName, String role,
+                                                                
AuthenticationDataSource authData) {
+        return isSuperUser(role, authData, conf)
+                .thenCompose(isSuperUser -> {
+                    if (isSuperUser) {
+                        return CompletableFuture.completedFuture(true);
+                    }
+                    Set<String> roles = getRoles(authData);
+                    if (roles.isEmpty()) {
+                        return CompletableFuture.completedFuture(false);
+                    }
+
+                    return pulsarResources.getTenantResources()
+                            .getTenantAsync(tenantName)
+                            .thenCompose(op -> {
+                                if (op.isPresent()) {
+                                    TenantInfo tenantInfo = op.get();
+                                    if (tenantInfo.getAdminRoles() == null || 
tenantInfo.getAdminRoles().isEmpty()) {
+                                        return 
CompletableFuture.completedFuture(false);
+                                    }
+
+                                    return 
CompletableFuture.completedFuture(roles.stream()
+                                            .anyMatch(n -> 
tenantInfo.getAdminRoles().contains(n)));
+                                } else {
+                                    throw new 
RestException(Response.Status.NOT_FOUND, "Tenant does not exist");
+                                }
+                            }).exceptionally(ex -> {
+                                Throwable cause = ex.getCause();
+                                if (cause instanceof 
MetadataStoreException.NotFoundException) {
+                                    log.warn("Failed to get tenant info data 
for non existing tenant {}", tenantName);
+                                    throw new 
RestException(Response.Status.NOT_FOUND, "Tenant does not exist");
+                                }
+                                log.error("Failed to get tenant {}", 
tenantName, cause);
+                                throw new RestException(cause);

Review Comment:
   If line 129 throws RestException, will here wrap to  new 
RestException(RestException ...) ?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org