[PIP-167][Authorization] Make it Configurable to Require Subscription Permission

[michaeljmarshall]

Fixes: #15597

Motivation

See PIP-167 for more detail. At a high level, this PR seeks to make it possible to configure whether subscription level permission is required to consume from a subscription in a namespace where a subscription does not have any permission defined.

Modifications

• Update the PulsarAuthorizationProvider#canConsume logic so that when subscription permission is required, it will reject all roles that do not explicitly have permission to consume from a subscription in the subscription permission map for the namespace.
• Update the AuthPolicies and the AuthPoliciesImpl classes to store a new boolean field named subscription_auth_required.
• Add new endpoints for getting permission, granting permission, and revoking permission to the Admin API server for both v1 and v2 APIs.
• Similarly, update the Admin Java Client and the Admin CLI tool to use call those new API endpoints.

Verifying this change

Once the design is solidified, I will add tests to the pulsar-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java class.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): no
• The public API: yes
• The schema: no
• The default values of configurations: no
• The wire protocol: no
• The rest endpoints: yes
• The admin cli options: yes
• Anything that affects deployment: no

This change adds a new feature discussed in the associated PIP.

Documentation

• doc-required
  I will add docs as a part of this work, but I haven't yet because the design isn't solidified.

[eolivelli]

adding a field with default value "true" is problematic, thinking to the upgrade path.
This is because on storage (ZK) all the old Policies do not have this field, but we are considering it "true" if it is not present.
This may make us fall into some subtle problems with clusters upgraded to the latest version.

I suggest to go down these ways:

1. use Boolean (nullable boolean) and deal explicitly with the case "unknown"
2. negate the flag, this way the default will be "false" and this value will also be applied in case of null/non existing field (so old cluster upgraded, or updates happening during rolling upgrades of the cluster

I prefer 2) as it is easier to deal with both code changes and also with the migration

[lhotari]

Good points Enrico. Yes this should be addressed.

[michaeljmarshall]

Thank you for the review, @eolivelli. My preference is also 2. I'll replace implicit with explicit for the whole PR/PIP.

[michaeljmarshall]

@eolivelli - on second thought, are you suggesting that I need to update the variable names or just that the stored metadata needs to default to false? The semantics of "granting permission" on the API will be different if we change the endpoint names to align with a default value where "false" means additional permission is granted roles. For example, an alternate name for the /implicitPermissionOnSubscription endpoint is /permissionOnSubscriptionRequired. In that case, granting permission would use a PUT/POST to set the value to false, which seems counter intuitive.

[eolivelli]

The main point is that the default value must be 'false' or null because this is what is on existing data.

[michaeljmarshall]

That makes sense. I think the likely alternative name is permissionOnSubscriptionRequired. If someone has a better name, though, I'll use that.

[michaeljmarshall]

@eolivelli - I updating the naming by using permissionOnSubscriptionRequired. Please let me know what you think about the name.

[eolivelli]

works for me

[lhotari]

Does this have to be added to the v1 API at all?

[michaeljmarshall]

Good question, I'm not sure. I don't know how we're approaching new features like this. I'm open to removing it, if that's the consensus.

[lhotari]

Good points Enrico. Yes this should be addressed.

[eolivelli]

+1
(there are some TODOs, but I don't think we can address them with this work, maybe you can remove the TODO, or at least like a GH issue near the TODO)

[github-actions]

The pr had no activity for 30 days, mark with Stale label.

[tisonkun]

@michaeljmarshall do you continue this work?

cc @nodece

[nodece]

Makes sense.

[codecov-commenter]

Codecov Report

Merging #15576 (c6a4b3a) into master (1b5722d) will increase coverage by 1.47%.
The diff coverage is 0.00%.

@@             Coverage Diff              @@
##             master   #15576      +/-   ##
============================================
+ Coverage     46.34%   47.82%   +1.47%     
- Complexity    10394    11213     +819     
============================================
  Files           703      763      +60     
  Lines         68838    73640    +4802     
  Branches       7379     7915     +536     
============================================
+ Hits          31905    35217    +3312     
- Misses        33324    34557    +1233     
- Partials       3609     3866     +257     

Flag	Coverage Δ
unittests	47.82% <0.00%> (+1.47%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
...pache/pulsar/broker/admin/impl/NamespacesBase.java	62.85% <0.00%> (-0.24%)	⬇️
.../org/apache/pulsar/broker/admin/v1/Namespaces.java	48.47% <0.00%> (-0.48%)	⬇️
.../org/apache/pulsar/broker/admin/v2/Namespaces.java	57.80% <0.00%> (+0.45%)	⬆️
...rg/apache/pulsar/broker/lookup/v1/TopicLookup.java	60.00% <0.00%> (-13.34%)	⬇️
...pulsar/broker/service/PulsarCommandSenderImpl.java	75.38% <0.00%> (-3.08%)	⬇️
...roker/service/persistent/MessageDeduplication.java	50.65% <0.00%> (-3.06%)	⬇️
...rg/apache/pulsar/proxy/server/ProxyConnection.java	55.21% <0.00%> (-1.13%)	⬇️
...lsar/broker/loadbalance/impl/ThresholdShedder.java	30.32% <0.00%> (-0.82%)	⬇️
...tent/PersistentDispatcherSingleActiveConsumer.java	59.24% <0.00%> (-0.63%)	⬇️
...che/bookkeeper/mledger/impl/ManagedCursorImpl.java	37.06% <0.00%> (-0.06%)	⬇️
... and 182 more

[tisonkun]

Merging...

Thanks for your all efforts.

[tisonkun]

@michaeljmarshall @eolivelli @nodece @lhotari

Although, I noticed that this proposal didn't pass a formal PIP vote yet, while there is a thread without objection. I suggest you continue that thread to make a formal resolution.

[momo-jun]

I will add docs as a part of this work, but I haven't yet because the design isn't solidified.

Hi @michaeljmarshall, do you have any updates for adding the docs?
Since 2.11 has been released, now it's good timing to start the doc update in the next version.

[michaeljmarshall]

@momo-jun this PR was reverted, so no docs are needed.