[GitHub] [pulsar] zymap opened a new issue #4384: [Web Service] Error code

[GitBox]

zymap opened a new issue #4384: [Web Service] Error code
URL: https://github.com/apache/pulsar/issues/4384
 
 
   **Describe the bug**
   A clear and concise description of what the bug is.
   
   ```
   protected void validateSuperUserAccess() {
           if (config().isAuthenticationEnabled()) {
               String appId = clientAppId();
               if(log.isDebugEnabled()) {
                   log.debug("[{}] Check super user access: Authenticated: {} 
-- Role: {}", uri.getRequestUri(),
                           isClientAuthenticated(appId), appId);
               }
               String originalPrincipal = originalPrincipal();
               
validateOriginalPrincipal(pulsar.getConfiguration().getProxyRoles(), appId, 
originalPrincipal);
   
               if (pulsar.getConfiguration().getProxyRoles().contains(appId)) {
   
                   CompletableFuture<Boolean> proxyAuthorizedFuture;
                   CompletableFuture<Boolean> originalPrincipalAuthorizedFuture;
   
                   try {
                       proxyAuthorizedFuture = pulsar.getBrokerService()
                               .getAuthorizationService()
                               .isSuperUser(appId);
   
                       originalPrincipalAuthorizedFuture = 
pulsar.getBrokerService()
                               .getAuthorizationService()
                               .isSuperUser(originalPrincipal);
   
                       if (!proxyAuthorizedFuture.get() || 
!originalPrincipalAuthorizedFuture.get()) {
                           throw new RestException(Status.UNAUTHORIZED,
                                   String.format("Proxy not authorized for 
super-user operation (proxy:%s,original:%s)",
                                                 appId, originalPrincipal));
                       }
                   } catch (InterruptedException | ExecutionException e) {
                       throw new RestException(Status.INTERNAL_SERVER_ERROR, 
e.getMessage());
                   }
                   log.debug("Successfully authorized {} (proxied by {}) as 
super-user",
                             originalPrincipal, appId);
               } else if (!config().getSuperUserRoles().contains(appId)) {
                   throw new RestException(Status.UNAUTHORIZED, "This operation 
requires super-user access");
               }
           }
       }
   ```
   
   This code is validate whether the user have permission for request content. 
I think it's more better return as 403. It just haven't permission to access 
the content. What do you think about this?
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


With regards,
Apache Git Services