This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new da66d0e Fix subscription permission not working in reset cursor
(#11132)
da66d0e is described below
commit da66d0e2212c99a5a7e346c38778af0f1276e7d1
Author: Zhanpeng Wu <[email protected]>
AuthorDate: Mon Jun 28 22:37:15 2021 +0800
Fix subscription permission not working in reset cursor (#11132)
### Motivation
Some `internalResetCursorXX` methods do not pass in the `subscriptionName`
parameter when verifying permissions, which causes the `subscription` check to
be skipped during the permission check of
`AuthorizationProvider#canConsumeAsync` and leads an error validation result.
This PR will fix this problem.
### Modifications
Refine the parameters of `validateTopicOperation` and supplement a relative
test case.
---
.../org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java | 4 ++--
.../pulsar/client/api/AuthorizationProducerConsumerTest.java | 8 ++++++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java
index 195bff4..5a3f88e 100644
---
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java
+++
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java
@@ -1934,7 +1934,7 @@ public class PersistentTopicsBase extends AdminResource {
boolean authoritative) {
try {
validateTopicOwnership(topicName, authoritative);
- validateTopicOperation(topicName, TopicOperation.RESET_CURSOR);
+ validateTopicOperation(topicName, TopicOperation.RESET_CURSOR,
subName);
log.info("[{}] [{}] Received reset cursor on subscription {} to
time {}",
clientAppId(), topicName, subName, timestamp);
@@ -2157,7 +2157,7 @@ public class PersistentTopicsBase extends AdminResource {
return;
} else {
validateTopicOwnership(topicName, authoritative);
- validateTopicOperation(topicName, TopicOperation.RESET_CURSOR);
+ validateTopicOperation(topicName, TopicOperation.RESET_CURSOR,
subName);
PersistentTopic topic = (PersistentTopic)
getTopicReference(topicName);
if (topic == null) {
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
index 1e0700e..e346086 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -247,6 +247,14 @@ public class AuthorizationProducerConsumerTest extends
ProducerConsumerBase {
// Ok
}
+ // reset on position
+ try {
+ sub1Admin.topics().resetCursor(topicName, subscriptionName,
MessageId.earliest);
+ fail("should have fail with authorization exception");
+ } catch
(org.apache.pulsar.client.admin.PulsarAdminException.NotAuthorizedException e) {
+ // Ok
+ }
+
// now, grant subscription-access to subscriptionRole as well
superAdmin.namespaces().grantPermissionOnSubscription(namespace,
subscriptionName,
Sets.newHashSet(otherPrincipal, subscriptionRole));
