vaibhavk1992 opened a new pull request, #3299:
URL: https://github.com/apache/fluss/pull/3299
## Summary
Implements authorization checks for internal replication control RPC
operations as part of issue #3249.
These are server-to-server RPCs used by the CoordinatorServer to manage
replication state across TabletServers. Currently, these critical operations
have no authorization checks, allowing any client to potentially call internal
cluster management APIs.
## Changes
### Authorization Added to 4 Internal RPCs:
| Method | Location | Authorization | Resource |
|--------|----------|--------------|----------|
| **`notifyLeaderAndIsr`** | TabletService | CLUSTER/WRITE | cluster() |
| **`updateMetadata`** | TabletService | CLUSTER/WRITE | cluster() |
| **`stopReplica`** | TabletService | CLUSTER/WRITE | cluster() |
| **`adjustIsr`** | CoordinatorService | CLUSTER/WRITE | cluster() |
### Implementation Pattern:
```java
if (authorizer != null) {
authorizer.authorize(currentSession(), WRITE, Resource.cluster());
}
```
### Files Modified:
1. **`TabletService.java`**
- Added authorization to: `notifyLeaderAndIsr`, `updateMetadata`,
`stopReplica`
2. **`CoordinatorService.java`**
- Added static import for `OperationType.WRITE`
- Added authorization to: `adjustIsr`
3. **`FlussAuthorizationITCase.java`**
- Added test method: `testInternalReplicationControlAuthorization`
- Added imports for: `NotifyLeaderAndIsrRequest`,
`UpdateMetadataRequest`, `StopReplicaRequest`, `AdjustIsrRequest`
## Key Design Decisions
1. **CLUSTER/WRITE Permission**: These operations modify cluster replication
state, consistent with other cluster control operations like `rebalance()` and
`cancelRebalance()`
2. **Internal Session Bypass**: The `AbstractAuthorizer.isAuthorized()`
method automatically allows `session.isInternal()` requests, so internal
server-to-server calls continue working seamlessly
3. **No Explicit isInternal() Check**: No need to add explicit checks - the
authorization framework handles it automatically
4. **External Client Protection**: External clients attempting to call these
internal RPCs will now receive `AuthorizationException`
## Test Coverage
The new test `testInternalReplicationControlAuthorization()` verifies:
✅ **External clients blocked**: All 4 methods throw `AuthorizationException`
when called by external clients without CLUSTER/WRITE permission
✅ **Internal sessions bypass**: Internal server-to-server calls do NOT throw
`AuthorizationException` (they may fail for other reasons like invalid data,
but not authorization)
✅ **Proper error messages**: Authorization failures include the correct
principal, operation type (WRITE), and resource (CLUSTER)
## Security Impact
**Before**: External clients could call internal replication control RPCs ❌
**After**: Only internal servers or authorized clients with CLUSTER/WRITE
permission can call these RPCs ✅
## Backward Compatibility
- ✅ Existing clusters with authorization disabled continue working unchanged
- ✅ Internal server-to-server replication continues working (bypasses
authorization)
- ✅ Minimal code changes - only adding authorization checks, no logic changes
## Related Issue
Closes #3249
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
