[pulsar] branch master updated: Differentiate authorization between source/sink/function operations (#7466)

Tue, 07 Jul 2020 15:45:10 -0700 

This is an automated email from the ASF dual-hosted git repository.

sanjeevrk pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 77dccd2  Differentiate authorization between source/sink/function 
operations (#7466)
77dccd2 is described below

commit 77dccd2824699c9be96f518a8a1079df51612c8e
Author: Sanjeev Kulkarni <[email protected]>
AuthorDate: Tue Jul 7 15:43:57 2020 -0700

    Differentiate authorization between source/sink/function operations (#7466)
    
    * Differentiate between source/sink/function operations
    
    * Added release notes
    
    Co-authored-by: Sanjeev Kulkarni <[email protected]>
---
 .../broker/authorization/AuthorizationProvider.java  | 20 ++++++++++++++++++++
 .../broker/authorization/AuthorizationService.java   | 10 ++++++++++
 .../authorization/PulsarAuthorizationProvider.java   | 20 ++++++++++++++++++--
 .../api/AuthorizationProducerConsumerTest.java       | 10 ++++++++++
 .../pulsar/common/policies/data/AuthAction.java      |  6 ++++++
 .../functions/worker/rest/api/ComponentImpl.java     | 14 ++++++++++++--
 site2/website/release-notes.md                       |  6 ++++++
 7 files changed, 82 insertions(+), 4 deletions(-)

diff --git 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
index 4eb5d93..63ca4cd 100644
--- 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
+++ 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationProvider.java
@@ -142,6 +142,26 @@ public interface AuthorizationProvider extends Closeable {
                                                      AuthenticationDataSource 
authenticationData);
 
     /**
+     * Allow all source operations with in this namespace
+     * @param namespaceName The namespace that the sources operations can be 
executed in
+     * @param role The role to check
+     * @param authenticationData authentication data related to the role
+     * @return a boolean to determine whether authorized or not
+     */
+    CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName 
namespaceName, String role,
+                                                   AuthenticationDataSource 
authenticationData);
+
+    /**
+     * Allow all sink operations with in this namespace
+     * @param namespaceName The namespace that the sink operations can be 
executed in
+     * @param role The role to check
+     * @param authenticationData authentication data related to the role
+     * @return a boolean to determine whether authorized or not
+     */
+    CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName namespaceName, 
String role,
+                                                 AuthenticationDataSource 
authenticationData);
+
+    /**
      *
      * Grant authorization-action permission on a namespace to the given client
      *
diff --git 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
index 10b35ef..e964faa 100644
--- 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
+++ 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/AuthorizationService.java
@@ -331,6 +331,16 @@ public class AuthorizationService {
         return provider.allowFunctionOpsAsync(namespaceName, role, 
authenticationData);
     }
 
+    public CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName 
namespaceName, String role,
+                                                          
AuthenticationDataSource authenticationData) {
+        return provider.allowSourceOpsAsync(namespaceName, role, 
authenticationData);
+    }
+
+    public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName 
namespaceName, String role,
+                                                        
AuthenticationDataSource authenticationData) {
+        return provider.allowSinkOpsAsync(namespaceName, role, 
authenticationData);
+    }
+
     /**
      * Grant authorization-action permission on a tenant to the given client
      *
diff --git 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
index 1aa79bf..a394311 100644
--- 
a/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
+++ 
b/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
@@ -221,6 +221,22 @@ public class PulsarAuthorizationProvider implements 
AuthorizationProvider {
 
     @Override
     public CompletableFuture<Boolean> allowFunctionOpsAsync(NamespaceName 
namespaceName, String role, AuthenticationDataSource authenticationData) {
+        return allowFunctionSourceSinkOpsAsync(namespaceName, role, 
authenticationData, AuthAction.functions);
+    }
+
+    @Override
+    public CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName 
namespaceName, String role, AuthenticationDataSource authenticationData) {
+        return allowFunctionSourceSinkOpsAsync(namespaceName, role, 
authenticationData, AuthAction.sources);
+    }
+
+    @Override
+    public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName 
namespaceName, String role, AuthenticationDataSource authenticationData) {
+        return allowFunctionSourceSinkOpsAsync(namespaceName, role, 
authenticationData, AuthAction.sinks);
+    }
+
+    private CompletableFuture<Boolean> 
allowFunctionSourceSinkOpsAsync(NamespaceName namespaceName, String role,
+                                                                       
AuthenticationDataSource authenticationData,
+                                                                       
AuthAction authAction) {
         CompletableFuture<Boolean> permissionFuture = new 
CompletableFuture<>();
         try {
             configCache.policiesCache().getAsync(POLICY_ROOT + 
namespaceName.toString()).thenAccept(policies -> {
@@ -231,7 +247,7 @@ public class PulsarAuthorizationProvider implements 
AuthorizationProvider {
                 } else {
                     Map<String, Set<AuthAction>> namespaceRoles = 
policies.get().auth_policies.namespace_auth;
                     Set<AuthAction> namespaceActions = 
namespaceRoles.get(role);
-                    if (namespaceActions != null && 
namespaceActions.contains(AuthAction.functions)) {
+                    if (namespaceActions != null && 
namespaceActions.contains(authAction)) {
                         // The role has namespace level permission
                         permissionFuture.complete(true);
                         return;
@@ -239,7 +255,7 @@ public class PulsarAuthorizationProvider implements 
AuthorizationProvider {
 
                     // Using wildcard
                     if (conf.isAuthorizationAllowWildcardsMatching()) {
-                        if (checkWildcardPermission(role, 
AuthAction.functions, namespaceRoles)) {
+                        if (checkWildcardPermission(role, authAction, 
namespaceRoles)) {
                             // The role has namespace level permission by 
wildcard match
                             permissionFuture.complete(true);
                             return;
diff --git 
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
 
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index ddeed96..180142c 100644
--- 
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++ 
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -470,6 +470,16 @@ public class AuthorizationProducerConsumerTest extends 
ProducerConsumerBase {
         }
 
         @Override
+        public CompletableFuture<Boolean> allowSourceOpsAsync(NamespaceName 
namespaceName, String role, AuthenticationDataSource authenticationData) {
+            return null;
+        }
+
+        @Override
+        public CompletableFuture<Boolean> allowSinkOpsAsync(NamespaceName 
namespaceName, String role, AuthenticationDataSource authenticationData) {
+            return null;
+        }
+
+        @Override
         public CompletableFuture<Void> grantPermissionAsync(NamespaceName 
namespace, Set<AuthAction> actions,
                 String role, String authenticationData) {
             return CompletableFuture.completedFuture(null);
diff --git 
a/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthAction.java
 
b/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthAction.java
index 6f70e96..646ca03 100644
--- 
a/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthAction.java
+++ 
b/pulsar-common/src/main/java/org/apache/pulsar/common/policies/data/AuthAction.java
@@ -30,4 +30,10 @@ public enum AuthAction {
 
     /** Permissions for functions ops. **/
     functions,
+
+    /** Permissions for sources ops. **/
+    sources,
+
+    /** Permissions for sinks ops. **/
+    sinks,
 }
diff --git 
a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/api/ComponentImpl.java
 
b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/api/ComponentImpl.java
index 2e31f73..11c7b20 100644
--- 
a/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/api/ComponentImpl.java
+++ 
b/pulsar-functions/worker/src/main/java/org/apache/pulsar/functions/worker/rest/api/ComponentImpl.java
@@ -1518,8 +1518,18 @@ public abstract class ComponentImpl {
     public boolean allowFunctionOps(NamespaceName namespaceName, String role,
                                     AuthenticationDataSource 
authenticationData) {
         try {
-            return worker().getAuthorizationService().allowFunctionOpsAsync(
-                    namespaceName, role, 
authenticationData).get(worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
 SECONDS);
+            switch (componentType) {
+                case SINK:
+                    return 
worker().getAuthorizationService().allowSinkOpsAsync(
+                            namespaceName, role, 
authenticationData).get(worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
 SECONDS);
+                case SOURCE:
+                    return 
worker().getAuthorizationService().allowSourceOpsAsync(
+                            namespaceName, role, 
authenticationData).get(worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
 SECONDS);
+                case FUNCTION:
+                default:
+                    return 
worker().getAuthorizationService().allowFunctionOpsAsync(
+                            namespaceName, role, 
authenticationData).get(worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(),
 SECONDS);
+            }
         } catch (InterruptedException e) {
             log.warn("Time-out {} sec while checking function authorization on 
{} ", worker().getWorkerConfig().getZooKeeperOperationTimeoutSeconds(), 
namespaceName);
             throw new RestException(Status.INTERNAL_SERVER_ERROR, 
e.getMessage());
diff --git a/site2/website/release-notes.md b/site2/website/release-notes.md
index 2476a67..5bb0d49 100644
--- a/site2/website/release-notes.md
+++ b/site2/website/release-notes.md
@@ -1,6 +1,12 @@
 
 ## Apache Pulsar Release Notes
 
+### 2.7.0 &mdash; Not Yet Released <a id=“2.7.0”></a>
+
+##### Upgrade notes
+
+* [IO] If Function Authorization is enabled, users have to be given the 
source/sink entitlement to run them. See 
https://github.com/apache/pulsar/pull/7466
+
 ### 2.6.0 &mdash; 2020-06-17 <a id=“2.6.0”></a>
 
 #### Features

Reply via email to