This is an automated email from the ASF dual-hosted git repository. mmerli pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/incubator-pulsar.git
The following commit(s) were added to refs/heads/master by this push: new 27117f2 Fix for memory leak in Proxy roles enforcement (#1192) 27117f2 is described below commit 27117f23034c41142321af42f36dc31e8a15df9e Author: Jai Asher <j...@ccs.neu.edu> AuthorDate: Tue Feb 6 17:55:15 2018 -0800 Fix for memory leak in Proxy roles enforcement (#1192) * Fix for Bufferleaks in ServerCnx.java due to ProxyRolesEnforcement * Added soome comments * Changed newLookupResponse to correct newPartitionMetadataResponse --- .../apache/pulsar/broker/service/ServerCnx.java | 63 +++++++++++----------- 1 file changed, 32 insertions(+), 31 deletions(-) diff --git a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java index 0f0cd6d..efa3ed9 100644 --- a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java +++ b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java @@ -187,17 +187,15 @@ public class ServerCnx extends PulsarHandler { ctx.close(); } - private boolean validateOriginalPrincipal(String originalPrincipal, ByteBuf errorResponse, String topicName, - String msg) { - if (service.isAuthenticationEnabled() && service.isAuthorizationEnabled() && proxyRoles.contains(authRole) - && (StringUtils.isBlank(originalPrincipal) || proxyRoles.contains(originalPrincipal))) { - log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole, - originalPrincipal, topicName); - ctx.writeAndFlush(errorResponse); - return false; - } - - return true; + /* + * If authentication and authorization is enabled and if the authRole is one of proxyRoles we want to enforce + * - the originalPrincipal is given while connecting + * - originalPrincipal is not blank + * - originalPrincipal is not a proxy principal + */ + private boolean invalidOriginalPrincipal(String originalPrincipal) { + return (service.isAuthenticationEnabled() && service.isAuthorizationEnabled() && proxyRoles.contains(authRole) + && (StringUtils.isBlank(originalPrincipal) || proxyRoles.contains(originalPrincipal))); } // //// @@ -221,10 +219,11 @@ public class ServerCnx extends PulsarHandler { if (lookupSemaphore.tryAcquire()) { final String originalPrincipal = lookup.hasOriginalPrincipal() ? lookup.getOriginalPrincipal() : this.originalPrincipal; - if (!validateOriginalPrincipal(originalPrincipal, - newLookupErrorResponse(ServerError.AuthorizationError, - "Valid Proxy Client role should be provided for lookup ", requestId), - topicName.toString(), "Valid Proxy Client role should be provided for lookup ")) { + if (invalidOriginalPrincipal(originalPrincipal)) { + final String msg = "Valid Proxy Client role should be provided for lookup "; + log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole, + originalPrincipal, topicName); + ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, requestId)); lookupSemaphore.release(); return; } @@ -293,11 +292,12 @@ public class ServerCnx extends PulsarHandler { if (lookupSemaphore.tryAcquire()) { final String originalPrincipal = partitionMetadata.hasOriginalPrincipal() ? partitionMetadata.getOriginalPrincipal() : this.originalPrincipal; - if (!validateOriginalPrincipal(originalPrincipal, - Commands.newPartitionMetadataResponse(ServerError.AuthorizationError, - "Valid Proxy Client role should be provided for getPartitionMetadataRequest ", requestId), - topicName.toString(), - "Valid Proxy Client role should be provided for getPartitionMetadataRequest ")) { + if (invalidOriginalPrincipal(originalPrincipal)) { + final String msg = "Valid Proxy Client role should be provided for getPartitionMetadataRequest "; + log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole, + originalPrincipal, topicName); + ctx.writeAndFlush(Commands.newPartitionMetadataResponse(ServerError.AuthorizationError, + msg, requestId)); lookupSemaphore.release(); return; } @@ -346,7 +346,7 @@ public class ServerCnx extends PulsarHandler { }).exceptionally(ex -> { final String msg = "Exception occured while trying to authorize get Partition Metadata"; log.warn("[{}] {} with role {} on topic {}", remoteAddress, msg, authRole, topicName); - ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, requestId)); + ctx.writeAndFlush(Commands.newPartitionMetadataResponse(ServerError.AuthorizationError, msg, requestId)); lookupSemaphore.release(); return null; }); @@ -461,16 +461,16 @@ public class ServerCnx extends PulsarHandler { checkArgument(state == State.Connected); final long requestId = subscribe.getRequestId(); final long consumerId = subscribe.getConsumerId(); - DestinationName topicName = validateTopicName(subscribe.getTopic(), requestId, subscribe); if (topicName == null) { return; - } + } - if (!validateOriginalPrincipal(originalPrincipal, - Commands.newError(requestId, ServerError.AuthorizationError, - "Valid Proxy Client role should be provided while subscribing "), - topicName.toString(), "Valid Proxy Client role should be provided while subscribing ")) { + if (invalidOriginalPrincipal(originalPrincipal)) { + final String msg = "Valid Proxy Client role should be provided while subscribing "; + log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole, + originalPrincipal, topicName); + ctx.writeAndFlush(Commands.newError(requestId, ServerError.AuthorizationError, msg)); return; } @@ -636,10 +636,11 @@ public class ServerCnx extends PulsarHandler { return; } - if (!validateOriginalPrincipal(originalPrincipal, - Commands.newError(requestId, ServerError.AuthorizationError, - "Valid Proxy Client role should be provided while creating producer "), - topicName.toString(), "Valid Proxy Client role should be provided while creating producer ")) { + if (invalidOriginalPrincipal(originalPrincipal)) { + final String msg = "Valid Proxy Client role should be provided while creating producer "; + log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic {}", remoteAddress, msg, authRole, + originalPrincipal, topicName); + ctx.writeAndFlush(Commands.newError(requestId, ServerError.AuthorizationError, msg)); return; } -- To stop receiving notification emails like this one, please contact mme...@apache.org.