[GitHub] [pulsar] michaeljmarshall commented on a diff in pull request #19461: [improve][authorization] Uniformly use allowTopicOperationAsync to check permissions

Fri, 14 Apr 2023 14:54:57 -0700 


michaeljmarshall commented on code in PR #19461:
URL: https://github.com/apache/pulsar/pull/19461#discussion_r1167295009


##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java:
##########
@@ -129,11 +142,15 @@ CompletableFuture<Boolean> canConsumeAsync(TopicName 
topicName, String role,
      *
      * @param topicName
      * @param role
-     * @return
-     * @throws Exception
+     *
+     * @deprecated
+     * Use {@link #allowTopicOperationAsync(TopicName, String, TopicOperation, 
AuthenticationDataSource)} instead.
      */
-    CompletableFuture<Boolean> canLookupAsync(TopicName topicName, String role,
-            AuthenticationDataSource authenticationData);
+    @Deprecated
+    default CompletableFuture<Boolean> canLookupAsync(TopicName topicName, 
String role,
+            AuthenticationDataSource authenticationData) {
+        return CompletableFuture.completedFuture(false);
+    }

Review Comment:
   Instead of providing a default implementation, I think we should just 
deprecate these methods. Then, in the `PulsarAuthorizationProvider` class, we 
can remove the `@Override` annotation and those methods become internal 
implementation details instead of top level methods on the interface.



##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java:
##########
@@ -345,9 +362,41 @@ default CompletableFuture<Boolean> 
allowTopicOperationAsync(TopicName topic,
                                                                 String role,
                                                                 TopicOperation 
operation,
                                                                 
AuthenticationDataSource authData) {
-        return FutureUtil.failedFuture(
-            new IllegalStateException("TopicOperation [" + operation.name() + 
"] is not supported by the Authorization"
-                    + "provider you are using."));

Review Comment:
   Are you able to explain a bit more why this is required for backwards 
compatibility? I think we should be able to leave this here and leave the 
`switch` statement in the `PulsarAuthorizationProvider`.



##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java:
##########
@@ -273,7 +281,7 @@ public CompletableFuture<Boolean> canLookupAsync(TopicName 
topicName, String rol
             if (isSuperUser) {
                 return CompletableFuture.completedFuture(true);
             } else {
-                return provider.canLookupAsync(topicName, role, 
authenticationData);
+                return provider.allowTopicOperationAsync(topicName, role, 
TopicOperation.LOOKUP, authenticationData);

Review Comment:
   This is only tangentially related to your PR, but it seems like a broken 
abstraction that the `AuthorizationService` decides that the `superuser` 
privilege supersedes the `AuthenticationProvider` implementaiton. Instead, I 
think we could just call `provider.allowTopicOperationAsync(topicName, role, 
TopicOperation.LOOKUP, authenticationData);`, as you've done here.
   
   My goal is to move that logic into the provider so that plugin 
implementations do not need to deal with the complexity of when to check for 
super user and when not to. All of this logic should be delegated to the 
provider, in my opinion.
   
   That change is probably worth its own PR, though.



##########
pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java:
##########
@@ -191,7 +192,14 @@ public CompletableFuture<Boolean> 
canConsumeAsync(TopicName topicName, String ro
             if (isSuperUser) {
                 return CompletableFuture.completedFuture(true);
             } else {
-                return provider.canConsumeAsync(topicName, role, 
authenticationData, subscription);
+                AuthenticationDataSource subscriptionDataSource;
+                if (authenticationData instanceof 
AuthenticationDataSubscription) {
+                    subscriptionDataSource = authenticationData;
+                } else {
+                    subscriptionDataSource = new 
AuthenticationDataSubscription(authenticationData, subscription);
+                }
+                return provider.allowTopicOperationAsync(topicName, role, 
TopicOperation.CONSUME,
+                        subscriptionDataSource);

Review Comment:
   Can we deprecate this `canConsumeAsync` method? It seems like the same kind 
of logic that we're deprecating in the `AuthorizationProvider`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to