[GitHub] [pulsar] thomasechen edited a comment on pull request #13771: [broker] Fix topic produced through REST not support Authorization

[GitBox]

thomasechen edited a comment on pull request #13771:
URL: https://github.com/apache/pulsar/pull/13771#issuecomment-1020908067


   @liudezhi2098
   
    I have done the testing about producing the message through REST client. 
The HTTP client could produce the message successfully if I granted the 
authorization in the namespace or topic level. However, if I use the token 
which belongs to the tenant admin and there are no any permissions settings in 
the namespace and the topics level  ,the system will refuse the HTTP client to 
produce the message to the topic and show the message under below.  
   
   "**Unauthorized to produce to topic persistent://tls/demo4/test with 
clientAppId [tls] and authdata 
org.apache.pulsar.broker.authentication.AuthenticationDataHttps@318c6550"}**"
   
   Actually, if we use the client library (Java, Node), we can produce the 
message to the topic using the tenant admin token  (the tenant admin role was 
set ) without granting additional permissions to the namespace or topics.    
   
   **Reproduce :** 
   
   1.  I have a tenant called tls which admin role is also called "tls"
   
![image](https://user-images.githubusercontent.com/73772546/150929078-69278bdc-7e7d-40d4-a622-6e598286381b.png)
   
   2.  There is no permission settings related to the namespace tls/demo4
   
![image](https://user-images.githubusercontent.com/73772546/150930367-a0764146-d76e-4097-b3b9-1cba35a6d1bd.png)
   
   3.  We use the token of the role "tls" to produce a message and succeed
   
![image](https://user-images.githubusercontent.com/73772546/150930912-3f1010c5-9618-4017-91c8-507fbb600256.png)
   
![image](https://user-images.githubusercontent.com/73772546/150931083-f582030d-b0e8-48c1-8de7-1450c1603fea.png)
   
   4. We use "POSTMAN" to produce a message to the same topic
       4.1 Authorization Settings: The token is the role "tls'
      
![image](https://user-images.githubusercontent.com/73772546/150935898-58219809-781a-4e96-a7f7-fdfe4bd4f64e.png)
       
       4.2 Message Body Detail
    
![image](https://user-images.githubusercontent.com/73772546/150934780-394f1e66-885c-44d8-815b-39dff1cd2778.png)
   
   
   5. The system will give me the unauthorized message
   
![image](https://user-images.githubusercontent.com/73772546/150934562-778b4ef3-3163-41f0-a2f5-bceb56dfb006.png)
     
   6. After we grant the permission allowing producing message to the namespace 
tls/demo4, then we can successfully produce the message
      6.1  Grant the permission to the role tls
     
![image](https://user-images.githubusercontent.com/73772546/150935115-5f7643ee-3cfe-42c2-afd1-925bd1f509a4.png)
     
      6.2  Produce the message successfully
   
![image](https://user-images.githubusercontent.com/73772546/150935739-ddb14549-df0e-4d19-bbfb-c210e95e5713.png)
   
     **Conclusion:**
     REST authorization mechanism should be as same as the other clients (JAVA, 
NODEJS ......), We should be able to produce the message to the topic with the 
tenant admin token without any settings in the namespace and topics


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org