[GitHub] [pulsar] codelipenghui commented on a diff in pull request #19455: [improve][broker] Require authRole is proxyRole to set originalPrincipal

via GitHub Mon, 13 Feb 2023 01:43:16 -0800


codelipenghui commented on code in PR #19455:
URL: https://github.com/apache/pulsar/pull/19455#discussion_r1104208580



##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java:
##########
@@ -293,19 +292,39 @@ public CompletableFuture<Boolean> 
allowSinkOpsAsync(NamespaceName namespaceName,
         return provider.allowSinkOpsAsync(namespaceName, role, 
authenticationData);
     }
 
-    private static void validateOriginalPrincipal(Set<String> proxyRoles, 
String authenticatedPrincipal,
-                                                  String originalPrincipal) {
-        if (proxyRoles.contains(authenticatedPrincipal)) {
-            // Request has come from a proxy
+    public boolean isValidOriginalPrincipal(String authenticatedPrincipal,
+                                            String originalPrincipal,
+                                            AuthenticationDataSource 
authDataSource) {
+        SocketAddress remoteAddress = authDataSource != null ? 
authDataSource.getPeerAddress() : null;
+        return isValidOriginalPrincipal(authenticatedPrincipal, 
originalPrincipal, remoteAddress);
+    }
+
+    /**
+     * Validates that the authenticatedPrincipal and the originalPrincipal are 
a valid combination.
+     * Valid combinations fulfill the following rule: the 
authenticatedPrincipal is in
+     * {@link ServiceConfiguration#getProxyRoles()}, if, and only if, the 
originalPrincipal is set to a role
+     * that is not also in {@link ServiceConfiguration#getProxyRoles()}.
+     * @return true when roles are a valid combination and false when roles 
are an invalid combination
+     */
+    public boolean isValidOriginalPrincipal(String authenticatedPrincipal,
+                                            String originalPrincipal,
+                                            SocketAddress remoteAddress) {
+        String errorMsg = null;
+        if (conf.getProxyRoles().contains(authenticatedPrincipal)) {
             if (StringUtils.isBlank(originalPrincipal)) {
-                log.warn("Original principal empty in request authenticated as 
{}", authenticatedPrincipal);
-                throw new RestException(Response.Status.UNAUTHORIZED, 
"Original principal cannot be empty if the "
-                        + "request is via proxy.");
-            }
-            if (proxyRoles.contains(originalPrincipal)) {
-                log.warn("Original principal {} cannot be a proxy role ({})", 
originalPrincipal, proxyRoles);
-                throw new RestException(Response.Status.UNAUTHORIZED, 
"Original principal cannot be a proxy role");
+                errorMsg = "originalPrincipal must be provided when connecting 
with a proxy role.";
+            } else if (conf.getProxyRoles().contains(originalPrincipal)) {
+                errorMsg = "originalPrincipal cannot be a proxy role.";
             }
+        } else if (StringUtils.isNotBlank(originalPrincipal)) {
+            errorMsg = "cannot specify originalPrincipal when connecting 
without valid proxy role.";
+        }

Review Comment:
   Do we need to check if `authenticatedPrincipal` is a super user?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[GitHub] [pulsar] codelipenghui commented on a diff in pull request #19455: [improve][broker] Require authRole is proxyRole to set originalPrincipal

Reply via email to