Geal opened a new issue #5712: check super user status through the authorization provider instead of the configuration file URL: https://github.com/apache/pulsar/issues/5712 **Is your feature request related to a problem? Please describe.** Hello, I am building an authentication provider and an authorization provider, and I noticed that for some calls from pulsar-admin, the authorization provider is not called. Examples: - `pulsar-admin tenants list` returns "This operation requires super-user access" - `pulsar-admin namespaces list <tenant>` returns "Don't have permission to administrate resources on this tenant" - `pulsar-admin topics list <tenant>/<namespace>` returns `Don't have permission to administrate resources on this tenant` In all 3 cases, I see from my logs that the authentication provider is called, but not the authorization provider: ``` 10:58:08.631 [pulsar-web-31-12] INFO com.clevercloud.biscuitpulsar.BiscuitAuthenticationPlugin - deserialized token 10:58:08.632 [pulsar-web-31-12] INFO com.clevercloud.biscuitpulsar.BiscuitAuthenticationPlugin - checked root key 10:58:08.632 [pulsar-web-31-12] INFO com.clevercloud.biscuitpulsar.BiscuitAuthenticationPlugin - token deserialized and sealed <-- Authorization plugin logs should appear here --> 10:58:08.643 [pulsar-web-31-12] INFO org.eclipse.jetty.server.RequestLog - 127.0.0.1 - - [21/Nov/2019:10:58:08 +0100] "GET /admin/v2/tenants HTTP/1.1" 401 54 "-" "Pulsar-Java-v2.4.1" 16 ``` Apparently, in `PulsarWebResource.validateSuperUserAccess`, the superuser role is check through the authz service if we are using proxy roles: https://github.com/apache/pulsar/blob/37476bb7cfd6245193a14f7d2d78feae33396616/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java#L180-L202 if not, we will check the superuser roles from the configuration file: https://github.com/apache/pulsar/blob/37476bb7cfd6245193a14f7d2d78feae33396616/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java#L203-L204 Same thing in `PulsarWebResource.validateAdminAccessForTenant`: https://github.com/apache/pulsar/blob/37476bb7cfd6245193a14f7d2d78feae33396616/pulsar-broker/src/main/java/org/apache/pulsar/broker/web/PulsarWebResource.java#L280-L288 **Describe the solution you'd like** I propose replacing those configuration checks with a call to the authz service. I am testing the idea and will provide a pull request. If the configuration has `authorizationEnabled=true` with the default authz provider `org.apache.pulsar.broker.authorization.PulsarAuthorizationProvider`, this will not change the behaviour because the default `isSuperUser()` checks from the configuration file https://github.com/apache/pulsar/blob/14d1eaa73e1479e403042da87ad34c7a35a304e2/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java#L44-L47 **Describe alternatives you've considered** Using proxy roles would leverage the authz provider. But I think it would be more coherent to have everything go through the provider, instead of having special cases.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
