[incubator-pulsar] branch master updated: Fix for memory leak in Proxy roles enforcement (#1192)

Tue, 06 Feb 2018 17:55:54 -0800 

This is an automated email from the ASF dual-hosted git repository.

mmerli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-pulsar.git


The following commit(s) were added to refs/heads/master by this push:
     new 27117f2  Fix for memory leak in Proxy roles enforcement (#1192)
27117f2 is described below

commit 27117f23034c41142321af42f36dc31e8a15df9e
Author: Jai Asher <j...@ccs.neu.edu>
AuthorDate: Tue Feb 6 17:55:15 2018 -0800

    Fix for memory leak in Proxy roles enforcement (#1192)
    
    * Fix for Bufferleaks in ServerCnx.java due to ProxyRolesEnforcement
    
    * Added soome comments
    
    * Changed newLookupResponse to correct newPartitionMetadataResponse
---
 .../apache/pulsar/broker/service/ServerCnx.java    | 63 +++++++++++-----------
 1 file changed, 32 insertions(+), 31 deletions(-)

diff --git 
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java 
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
index 0f0cd6d..efa3ed9 100644
--- 
a/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
+++ 
b/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/ServerCnx.java
@@ -187,17 +187,15 @@ public class ServerCnx extends PulsarHandler {
         ctx.close();
     }
 
-    private boolean validateOriginalPrincipal(String originalPrincipal, 
ByteBuf errorResponse, String topicName,
-            String msg) {
-        if (service.isAuthenticationEnabled() && 
service.isAuthorizationEnabled() && proxyRoles.contains(authRole)
-                && (StringUtils.isBlank(originalPrincipal) || 
proxyRoles.contains(originalPrincipal))) {
-            log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic 
{}", remoteAddress, msg, authRole,
-                    originalPrincipal, topicName);
-            ctx.writeAndFlush(errorResponse);
-            return false;
-        }
-
-        return true;
+    /*
+     * If authentication and authorization is enabled and if the authRole is 
one of proxyRoles we want to enforce 
+     * - the originalPrincipal is given while connecting 
+     * - originalPrincipal is not blank
+     * - originalPrincipal is not a proxy principal
+     */
+    private boolean invalidOriginalPrincipal(String originalPrincipal) {
+        return (service.isAuthenticationEnabled() && 
service.isAuthorizationEnabled() && proxyRoles.contains(authRole)
+                && (StringUtils.isBlank(originalPrincipal) || 
proxyRoles.contains(originalPrincipal)));
     }
 
     // ////
@@ -221,10 +219,11 @@ public class ServerCnx extends PulsarHandler {
         if (lookupSemaphore.tryAcquire()) {
             final String originalPrincipal = lookup.hasOriginalPrincipal() ? 
lookup.getOriginalPrincipal()
                     : this.originalPrincipal;
-            if (!validateOriginalPrincipal(originalPrincipal,
-                    newLookupErrorResponse(ServerError.AuthorizationError,
-                            "Valid Proxy Client role should be provided for 
lookup ", requestId),
-                    topicName.toString(), "Valid Proxy Client role should be 
provided for lookup ")) {
+            if (invalidOriginalPrincipal(originalPrincipal)) {
+                final String msg = "Valid Proxy Client role should be provided 
for lookup ";
+                log.warn("[{}] {} with role {} and proxyClientAuthRole {} on 
topic {}", remoteAddress, msg, authRole,
+                        originalPrincipal, topicName);
+                
ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, 
requestId));
                 lookupSemaphore.release();
                 return;
             }
@@ -293,11 +292,12 @@ public class ServerCnx extends PulsarHandler {
         if (lookupSemaphore.tryAcquire()) {
             final String originalPrincipal = 
partitionMetadata.hasOriginalPrincipal()
                     ? partitionMetadata.getOriginalPrincipal() : 
this.originalPrincipal;
-            if (!validateOriginalPrincipal(originalPrincipal,
-                    
Commands.newPartitionMetadataResponse(ServerError.AuthorizationError,
-                            "Valid Proxy Client role should be provided for 
getPartitionMetadataRequest ", requestId),
-                    topicName.toString(),
-                    "Valid Proxy Client role should be provided for 
getPartitionMetadataRequest ")) {
+            if (invalidOriginalPrincipal(originalPrincipal)) {
+                final String msg = "Valid Proxy Client role should be provided 
for getPartitionMetadataRequest ";
+                log.warn("[{}] {} with role {} and proxyClientAuthRole {} on 
topic {}", remoteAddress, msg, authRole,
+                        originalPrincipal, topicName);
+                
ctx.writeAndFlush(Commands.newPartitionMetadataResponse(ServerError.AuthorizationError,
+                        msg, requestId));
                 lookupSemaphore.release();
                 return;
             }
@@ -346,7 +346,7 @@ public class ServerCnx extends PulsarHandler {
             }).exceptionally(ex -> {
                 final String msg = "Exception occured while trying to 
authorize get Partition Metadata";
                 log.warn("[{}] {} with role {} on topic {}", remoteAddress, 
msg, authRole, topicName);
-                
ctx.writeAndFlush(newLookupErrorResponse(ServerError.AuthorizationError, msg, 
requestId));
+                
ctx.writeAndFlush(Commands.newPartitionMetadataResponse(ServerError.AuthorizationError,
 msg, requestId));
                 lookupSemaphore.release();
                 return null;
             });
@@ -461,16 +461,16 @@ public class ServerCnx extends PulsarHandler {
         checkArgument(state == State.Connected);
         final long requestId = subscribe.getRequestId();
         final long consumerId = subscribe.getConsumerId();
-
         DestinationName topicName = validateTopicName(subscribe.getTopic(), 
requestId, subscribe);
         if (topicName == null) {
             return;
-        }
+        }  
 
-        if (!validateOriginalPrincipal(originalPrincipal,
-                Commands.newError(requestId, ServerError.AuthorizationError,
-                        "Valid Proxy Client role should be provided while 
subscribing "),
-                topicName.toString(), "Valid Proxy Client role should be 
provided while subscribing ")) {
+        if (invalidOriginalPrincipal(originalPrincipal)) {
+            final String msg = "Valid Proxy Client role should be provided 
while subscribing ";
+            log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic 
{}", remoteAddress, msg, authRole,
+                    originalPrincipal, topicName);
+            ctx.writeAndFlush(Commands.newError(requestId, 
ServerError.AuthorizationError, msg));
             return;
         }
 
@@ -636,10 +636,11 @@ public class ServerCnx extends PulsarHandler {
             return;
         }
 
-        if (!validateOriginalPrincipal(originalPrincipal,
-                Commands.newError(requestId, ServerError.AuthorizationError,
-                        "Valid Proxy Client role should be provided while 
creating producer "),
-                topicName.toString(), "Valid Proxy Client role should be 
provided while creating producer ")) {
+        if (invalidOriginalPrincipal(originalPrincipal)) {
+            final String msg = "Valid Proxy Client role should be provided 
while creating producer ";
+            log.warn("[{}] {} with role {} and proxyClientAuthRole {} on topic 
{}", remoteAddress, msg, authRole,
+                    originalPrincipal, topicName);
+            ctx.writeAndFlush(Commands.newError(requestId, 
ServerError.AuthorizationError, msg));
             return;
         }
 

-- 
To stop receiving notification emails like this one, please contact
mme...@apache.org.

Reply via email to