This is an automated email from the ASF dual-hosted git repository.
aahmed pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new e671932 Add missing permission checck, fail update on non-existent
ResourceGroup (#11957)
e671932 is described below
commit e671932e8d2416869a0c43b8a4f2ba3700cfc422
Author: ravi-vaidyanathan <[email protected]>
AuthorDate: Mon Sep 13 17:52:53 2021 -0700
Add missing permission checck, fail update on non-existent ResourceGroup
(#11957)
Add unit tests
---
.../broker/admin/impl/ResourceGroupsBase.java | 2 +
.../pulsar/broker/admin/AdminApiTlsAuthTest.java | 67 ++++++++++++++++++++++
.../client/admin/internal/ResourceGroupsImpl.java | 4 +-
3 files changed, 72 insertions(+), 1 deletion(-)
diff --git
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/ResourceGroupsBase.java
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/ResourceGroupsBase.java
index 351f521..4e676a4 100644
---
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/ResourceGroupsBase.java
+++
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/ResourceGroupsBase.java
@@ -50,6 +50,7 @@ public abstract class ResourceGroupsBase extends
AdminResource {
protected ResourceGroup internalGetResourceGroup(String rgName) {
try {
final String resourceGroupPath =
AdminResource.path(RESOURCEGROUPS, rgName);
+ validateSuperUserAccess();
ResourceGroup resourceGroup =
resourceGroupResources().get(resourceGroupPath)
.orElseThrow(() -> new
RestException(Response.Status.NOT_FOUND, "ResourceGroup does not exist"));
return resourceGroup;
@@ -161,6 +162,7 @@ public abstract class ResourceGroupsBase extends
AdminResource {
* need to walk the namespaces and make sure it is not in use
*/
try {
+ validateSuperUserAccess();
/*
* walk the namespaces and make sure it is not in use.
*/
diff --git
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/AdminApiTlsAuthTest.java
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/AdminApiTlsAuthTest.java
index fb39aae..c33676b 100644
---
a/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/AdminApiTlsAuthTest.java
+++
b/pulsar-broker/src/test/java/org/apache/pulsar/broker/admin/AdminApiTlsAuthTest.java
@@ -49,6 +49,7 @@ import org.apache.pulsar.client.api.Producer;
import org.apache.pulsar.client.api.PulsarClient;
import org.apache.pulsar.client.api.Schema;
import org.apache.pulsar.common.policies.data.ClusterData;
+import org.apache.pulsar.common.policies.data.ResourceGroup;
import org.apache.pulsar.common.tls.NoopHostnameVerifier;
import org.apache.pulsar.common.policies.data.AuthAction;
import org.apache.pulsar.common.policies.data.ClusterDataImpl;
@@ -175,6 +176,72 @@ public class AdminApiTlsAuthTest extends
MockedPulsarServiceBaseTest {
}
@Test
+ public void testSuperUserCanGetResourceGroups() throws Exception {
+ try (PulsarAdmin admin = buildAdminClient("admin")) {
+ admin.resourcegroups().createResourceGroup("test-resource-group",
+ new ResourceGroup());
+ admin.resourcegroups().getResourceGroup("test-resource-group");
+ Assert.assertEquals(ImmutableSet.of("test-resource-group"),
+ admin.resourcegroups().getResourceGroups());
+ admin.resourcegroups().getResourceGroup("test-resource-group");
+ }
+ }
+
+ @Test
+ public void testSuperUserCanDeleteResourceGroups() throws Exception {
+ try (PulsarAdmin admin = buildAdminClient("admin")) {
+ admin.resourcegroups().createResourceGroup("test-resource-group",
+ new ResourceGroup());
+ admin.resourcegroups().deleteResourceGroup("test-resource-group");
+ }
+ }
+
+ @Test
+ public void testProxyRoleCantDeleteResourceGroups() throws Exception {
+ try (PulsarAdmin admin = buildAdminClient("admin")) {
+ admin.resourcegroups().createResourceGroup("test-resource-group",
+ new ResourceGroup());
+ }
+ try (PulsarAdmin admin = buildAdminClient("proxy")) {
+ admin.resourcegroups().deleteResourceGroup("test-resource-group");
+ Assert.fail("Shouldn't be able to delete ResourceGroup");
+ } catch (PulsarAdminException.NotAuthorizedException e) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testProxyRoleCantCreateResourceGroups() throws Exception {
+ try (PulsarAdmin admin = buildAdminClient("proxy")) {
+ admin.resourcegroups().createResourceGroup("test-resource-group",
+ new ResourceGroup());
+ Assert.fail("Shouldn't be able to create ResourceGroup");
+ } catch (PulsarAdminException.NotAuthorizedException e) {
+ // expected
+ }
+ }
+
+ @Test
+ public void testProxyRoleCantGetResourceGroups() throws Exception {
+ try (PulsarAdmin admin = buildAdminClient("admin")) {
+ admin.resourcegroups().createResourceGroup("test-resource-group",
+ new ResourceGroup());
+ }
+ try (PulsarAdmin admin = buildAdminClient("proxy")) {
+ admin.resourcegroups().getResourceGroups();
+ Assert.fail("Shouldn't be able to list ResourceGroups");
+ } catch (PulsarAdminException.NotAuthorizedException e) {
+ // expected
+ }
+ try (PulsarAdmin admin = buildAdminClient("proxy")) {
+ admin.resourcegroups().getResourceGroup("test-resource-group");
+ Assert.fail("Shouldn't be able to get ResourceGroup");
+ } catch (PulsarAdminException.NotAuthorizedException e) {
+ // expected
+ }
+ }
+
+ @Test
public void testProxyRoleCantListNamespacesEvenWithAccess() throws
Exception {
try (PulsarAdmin admin = buildAdminClient("admin")) {
admin.tenants().createTenant("tenant1",
diff --git
a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/ResourceGroupsImpl.java
b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/ResourceGroupsImpl.java
index b099087..ecc424d 100644
---
a/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/ResourceGroupsImpl.java
+++
b/pulsar-client-admin/src/main/java/org/apache/pulsar/client/admin/internal/ResourceGroupsImpl.java
@@ -31,6 +31,7 @@ import org.apache.pulsar.client.admin.PulsarAdminException;
import org.apache.pulsar.client.admin.ResourceGroups;
import org.apache.pulsar.client.api.Authentication;
import org.apache.pulsar.common.policies.data.ResourceGroup;
+import org.apache.pulsar.common.util.RestException;
public class ResourceGroupsImpl extends BaseResource implements ResourceGroups
{
@@ -130,8 +131,9 @@ public class ResourceGroupsImpl extends BaseResource
implements ResourceGroups {
@Override
public void updateResourceGroup(String name, ResourceGroup resourcegroup)
throws PulsarAdminException {
try {
+ getResourceGroup(name);
updateResourceGroupAsync(name,
resourcegroup).get(this.readTimeoutMs, TimeUnit.MILLISECONDS);
- } catch (ExecutionException e) {
+ } catch (ExecutionException | RestException e) {
throw (PulsarAdminException) e.getCause();
} catch (InterruptedException e) {
Thread.currentThread().interrupt();