Technoboy- opened a new pull request, #22292: URL: https://github.com/apache/pulsar/pull/22292
### Motivation - Partitioned topic operation without authorization check. - Some namespace/topic operations are done without authorization check. ### Modification - `TRIM_TOPIC`: we forgot to add this AuthAction, this would cause the normal user throw `IllegalStateException` not NotAuthorizedException. - `internalSetProperty,` `internalSetProperties,` `internalGetProperty,` `internalGetProperties,` `internalRemoveProperty,` `internalClearProperties,`: there is no auth for these methods before, adding a new AuthAction could cause a compatible issue, so using existing `TenantOperation.CREATE_NAMESPACE` instead, which means user can create the namespace, so can get/set the namespace properties. - `internalUnloadTopic`,`internalGetManagedLedgerInfo`, `internalGetPartitionedStats`, `internalGetPartitionedStatsInternal `, `internalCreateSubscription`, `internalUpdateSubscriptionProperties`, `internalAnalyzeSubscriptionBacklog`, `internalGetSubscriptionProperties `: we don't check the auth for these methods of the partitioned topic. Before, for partitioned-topic, we need to get the metadata first and then call the `admin-client` to execute the auth, which will skip the real auth check. ### Verifying this change - Add `NamespaceAuthZTest` and `TopicAuthZTest` ### Documentation <!-- DO NOT REMOVE THIS SECTION. CHECK THE PROPER BOX ONLY. --> - [ ] `doc` <!-- Your PR contains doc changes. --> - [ ] `doc-required` <!-- Your PR changes impact docs and you will update later --> - [x] `doc-not-needed` <!-- Your PR changes do not impact docs --> - [ ] `doc-complete` <!-- Docs have been already added --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
