This is an automated email from the ASF dual-hosted git repository. penghui pushed a commit to branch branch-2.8 in repository https://gitbox.apache.org/repos/asf/pulsar.git
commit 9021deacbf6c2df1de5bca0e7ce594a1fd6a2fc6 Author: Zhanpeng Wu <[email protected]> AuthorDate: Mon Jun 28 22:37:15 2021 +0800 Fix subscription permission not working in reset cursor (#11132) ### Motivation Some `internalResetCursorXX` methods do not pass in the `subscriptionName` parameter when verifying permissions, which causes the `subscription` check to be skipped during the permission check of `AuthorizationProvider#canConsumeAsync` and leads an error validation result. This PR will fix this problem. ### Modifications Refine the parameters of `validateTopicOperation` and supplement a relative test case. (cherry picked from commit da66d0e2212c99a5a7e346c38778af0f1276e7d1) --- .../org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java | 4 ++-- .../pulsar/client/api/AuthorizationProducerConsumerTest.java | 8 ++++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java index 1cdba23..53c647a 100644 --- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java +++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java @@ -1934,7 +1934,7 @@ public class PersistentTopicsBase extends AdminResource { boolean authoritative) { try { validateTopicOwnership(topicName, authoritative); - validateTopicOperation(topicName, TopicOperation.RESET_CURSOR); + validateTopicOperation(topicName, TopicOperation.RESET_CURSOR, subName); log.info("[{}] [{}] Received reset cursor on subscription {} to time {}", clientAppId(), topicName, subName, timestamp); @@ -2157,7 +2157,7 @@ public class PersistentTopicsBase extends AdminResource { return; } else { validateTopicOwnership(topicName, authoritative); - validateTopicOperation(topicName, TopicOperation.RESET_CURSOR); + validateTopicOperation(topicName, TopicOperation.RESET_CURSOR, subName); PersistentTopic topic = (PersistentTopic) getTopicReference(topicName); if (topic == null) { diff --git a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java index 261732a..3ba210c 100644 --- a/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java +++ b/pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java @@ -247,6 +247,14 @@ public class AuthorizationProducerConsumerTest extends ProducerConsumerBase { // Ok } + // reset on position + try { + sub1Admin.topics().resetCursor(topicName, subscriptionName, MessageId.earliest); + fail("should have fail with authorization exception"); + } catch (org.apache.pulsar.client.admin.PulsarAdminException.NotAuthorizedException e) { + // Ok + } + // now, grant subscription-access to subscriptionRole as well superAdmin.namespaces().grantPermissionOnSubscription(namespace, subscriptionName, Sets.newHashSet(otherPrincipal, subscriptionRole));
