majialoong opened a new issue, #9784: URL: https://github.com/apache/rocketmq/issues/9784
### Before Creating the Bug Report - [x] I found a bug, not just asking a question, which should be created in [GitHub Discussions](https://github.com/apache/rocketmq/discussions). - [x] I have searched the [GitHub Issues](https://github.com/apache/rocketmq/issues) and [GitHub Discussions](https://github.com/apache/rocketmq/discussions) of this repository and believe that this is not a duplicate. - [x] I have confirmed that this bug belongs to the current repository, not other repositories of RocketMQ. ### Runtime platform environment All platform ### RocketMQ version develop and 5.3.3 (the branch using ACL 2.0) ### JDK Version All ### Describe the Bug In the `AclAuthorizationHandler#comparePolicyEntries` method, if the priority of the policy cannot be distinguished by resource type or matching mode, the priority of deny should be higher than that of allow. However, in the current code, if o1's policy is DENY and o2's policy is ALLOW, the method returns `1`. This causes o1 to be sorted after o2, resulting in incorrect logic that ALLOW takes precedence over DENY. <img width="599" height="130" alt="Image" src="https://github.com/user-attachments/assets/54e58eca-0825-45a6-a436-88383e78bc7c"; /> ### Steps to Reproduce At this stage, since multiple decisions cannot be configured for the same resource, this problem does not occur in practice. We can use test code to verify this problem. Need make `AclAuthorizationHandler#comparePolicyEntries` to public for test. ``` public static void main(String[] args) { AclAuthorizationHandler handler = new AclAuthorizationHandler(new AuthConfig()); Resource resource = Resource.of(ResourceType.TOPIC, null, ResourcePattern.LITERAL); PolicyEntry allow = PolicyEntry.of(resource, Arrays.asList(Action.PUB), null, Decision.ALLOW); PolicyEntry deny = PolicyEntry.of(resource, Arrays.asList(Action.PUB), null, Decision.DENY); List<PolicyEntry> policyEntries = new ArrayList<>(Arrays.asList(deny, allow)); policyEntries.sort(handler::comparePolicyEntries); PolicyEntry policyEntry = policyEntries.get(0); System.out.printf(policyEntry.getDecision().toString()); } ``` <img width="1014" height="391" alt="Image" src="https://github.com/user-attachments/assets/981c56e0-4323-43ad-b14e-01244a3759b3"; /> ### What Did You Expect to See? Use correct policy judgment logic to give DENY a higher priority than ALLOW. ### What Did You See Instead? If o1 is DENY and o2 is ALLOW, then ALLOW takes precedence over DENY. ### Additional Context _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
