[PR] [server] Add authorization to Snapshot Management RPCs [fluss]

Mon, 11 May 2026 03:52:32 -0700 


vaibhavk1992 opened a new pull request, #3300:
URL: https://github.com/apache/fluss/pull/3300

   ## Summary
   - Adds CLUSTER/WRITE authorization checks for 4 snapshot management internal 
RPCs
   - Implements issue #3250 (part of umbrella issue #2007 - Phase 2: Internal 
RPCs)
   - Internal sessions automatically bypass authorization via 
session.isInternal()
   
   ## Changes
   
   ### Server Side
   **TabletService.java:**
   - `notifyKvSnapshotOffset` - Added CLUSTER/WRITE authorization check
   - `notifyLakeTableOffset` - Added CLUSTER/WRITE authorization check
   
   **CoordinatorService.java:**
   - `commitKvSnapshot` - Added CLUSTER/WRITE authorization check
   - `commitLakeTableSnapshot` - Added CLUSTER/WRITE authorization check
   
   ### Test Coverage
   **FlussAuthorizationITCase.java:**
   - Added `testSnapshotManagementAuthorization()` with comprehensive coverage:
     - Authorization denial tests (no permission) - verifies 
AuthorizationException for all 4 operations
     - Authorization success tests (with permission) - verifies operations 
succeed after CLUSTER/WRITE permission granted
     - Internal session bypass tests - verifies internal server calls 
automatically bypass authorization
   
   ## Technical Details
   These are internal server-to-server RPCs used for snapshot coordination 
between CoordinatorServer and TabletServers. The authorization prevents 
external clients from calling internal cluster management APIs while allowing 
legitimate internal operations via `session.isInternal()` bypass.
   
   All operations use CLUSTER/WRITE permission type because they modify 
cluster-wide snapshot state, consistent with other internal cluster management 
operations like rebalance and ISR adjustment.
   
   ## Test Plan
   - Compiled successfully: `mvn compile test-compile -pl 
fluss-server,fluss-client -am`
   - All authorization checks follow existing patterns from rebalance/ISR 
operations
   - Tests verify complete authorization lifecycle: denial → grant → success
   
   Closes #3250
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to