[Authorization] Support GET_METADATA topic op after enable auth #12656
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
@yuruguo Could you please help add a test? The change looks good to me.
eolivelli
approved these changes
Nov 7, 2021
There was a problem hiding this comment.
LGTM
@michaeljmarshall please take a look as you are working on this topic during these days
Okay :) |
michaeljmarshall
approved these changes
Nov 8, 2021
There was a problem hiding this comment.
LGTM. My one additional thought is that the added test is more complex than necessary, and that complexity will increase the time required to run this pretty simple test. I think there is a test Authentication Provider that would make it easier to test authorization without needing to explicitly test authentication, but I could be wrong.
yuruguo
changed the title
yuruguo
changed the title
codelipenghui
approved these changes
Nov 8, 2021
zeo1995
pushed a commit
to zeo1995/pulsar
that referenced
this pull request
Nov 9, 2021
* up/master: [Doc] Add explanations for setting geo-replication at topic level (apache#12633) commit chapter Tiered Storage (apache#12592) [pulsar-admin] Add remove-subscription-types-enabled command for namespace (apache#12392) Enable CLI to publish non-batched messages (apache#12641) [Doc] Add doc for tokenSettingPrefix (apache#12662) [pulsar-admin] Add corresponding get command for namespace (apache#12322) [pulsar-admin] Perfect judgment conditions of pulsar-admin (apache#12315) [broker] Avoid unnecessary recalculation of maxSubscriptionsPerTopic in AbstractTopic (apache#12658) [Transaction]Stop TB recovering with exception (apache#12636) [website][upgrade]feat: docs migration - 2.7.1 / client (apache#12612) [website][upgrade]feat: docs migration - 2.7.1 / performance (apache#12611) [website][upgrade]feat: docs migration - 2.7.1 / security (apache#12610) [Modernizer] Apply Modernizer plugin for pulsar broker common module and fix violation. (apache#12657) [Authorization] Support GET_METADATA topic op after enable auth (apache#12656) Fix StringIndexOutOfBoundsException in org.apache.pulsar.broker.resources.NamespaceResources#pathIsFromNamespace (apache#12659)
zeo1995
pushed a commit
to zeo1995/pulsar
that referenced
this pull request
Nov 9, 2021
* up/master: [Doc] Add explanations for setting geo-replication at topic level (apache#12633) commit chapter Tiered Storage (apache#12592) [pulsar-admin] Add remove-subscription-types-enabled command for namespace (apache#12392) Enable CLI to publish non-batched messages (apache#12641) [Doc] Add doc for tokenSettingPrefix (apache#12662) [pulsar-admin] Add corresponding get command for namespace (apache#12322) [pulsar-admin] Perfect judgment conditions of pulsar-admin (apache#12315) [broker] Avoid unnecessary recalculation of maxSubscriptionsPerTopic in AbstractTopic (apache#12658) [Transaction]Stop TB recovering with exception (apache#12636) [website][upgrade]feat: docs migration - 2.7.1 / client (apache#12612) [website][upgrade]feat: docs migration - 2.7.1 / performance (apache#12611) [website][upgrade]feat: docs migration - 2.7.1 / security (apache#12610) [Modernizer] Apply Modernizer plugin for pulsar broker common module and fix violation. (apache#12657) [Authorization] Support GET_METADATA topic op after enable auth (apache#12656) Fix StringIndexOutOfBoundsException in org.apache.pulsar.broker.resources.NamespaceResources#pathIsFromNamespace (apache#12659) # Conflicts: # site2/website-next/versioned_sidebars/version-2.7.2-sidebars.json
eolivelli
pushed a commit
that referenced
this pull request
Nov 9, 2021
### Motivation Currently, we can get the internal stats of a topic through `bin/pulsar-admin topics stats-internal tn1/ns1/tp1` and also get ledger metadata by specifying flag `--metadata`. However I found that `PulsarAuthorizationProvider` lacks support for topic operation `GET_METADATA` when verifying the role's authorization, code as below: https://github.com/apache/pulsar/blob/08a49c06bff4a52d26319a114961aed6cb6c4791/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java#L1162-L1164 https://github.com/apache/pulsar/blob/08a49c06bff4a52d26319a114961aed6cb6c4791/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L567-L596 The purpose of this PR is to support role with `lookup` topic authorization to `GET_METADATA` of ledger. (cherry picked from commit e476735)
1 task
codelipenghui
pushed a commit
that referenced
this pull request
Nov 18, 2021
### Motivation Currently, we can get the internal stats of a topic through `bin/pulsar-admin topics stats-internal tn1/ns1/tp1` and also get ledger metadata by specifying flag `--metadata`. However I found that `PulsarAuthorizationProvider` lacks support for topic operation `GET_METADATA` when verifying the role's authorization, code as below: https://github.com/apache/pulsar/blob/08a49c06bff4a52d26319a114961aed6cb6c4791/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java#L1162-L1164 https://github.com/apache/pulsar/blob/08a49c06bff4a52d26319a114961aed6cb6c4791/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L567-L596 The purpose of this PR is to support role with `lookup` topic authorization to `GET_METADATA` of ledger. (cherry picked from commit e476735)
codelipenghui
added
cherry-picked/branch-2.8
eolivelli
pushed a commit
to eolivelli/pulsar
that referenced
this pull request
Nov 29, 2021
…he#12656) ### Motivation Currently, we can get the internal stats of a topic through `bin/pulsar-admin topics stats-internal tn1/ns1/tp1` and also get ledger metadata by specifying flag `--metadata`. However I found that `PulsarAuthorizationProvider` lacks support for topic operation `GET_METADATA` when verifying the role's authorization, code as below: https://github.com/apache/pulsar/blob/08a49c06bff4a52d26319a114961aed6cb6c4791/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java#L1162-L1164 https://github.com/apache/pulsar/blob/08a49c06bff4a52d26319a114961aed6cb6c4791/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java#L567-L596 The purpose of this PR is to support role with `lookup` topic authorization to `GET_METADATA` of ledger.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Currently, we can get the internal stats of a topic through
bin/pulsar-admin topics stats-internal tn1/ns1/tp1and also get ledger metadata by specifying flag--metadata.However I found that
PulsarAuthorizationProviderlacks support for topic operationGET_METADATAwhen verifying the role's authorization, code as below:pulsar/pulsar-broker/src/main/java/org/apache/pulsar/broker/admin/impl/PersistentTopicsBase.java
Lines 1162 to 1164 in 08a49c0
pulsar/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java
Lines 567 to 596 in 08a49c0
The purpose of this PR is to support role with
lookuptopic authorization toGET_METADATAof ledger.Documentation
no-need-doc