apache · codelipenghui · Nov 15, 2021 · Nov 12, 2021
diff --git a/...-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java b/...-broker/src/test/java/org/apache/pulsar/client/api/AuthorizationProducerConsumerTest.java
@@ -62,6 +62,7 @@
 import org.apache.pulsar.common.policies.data.TenantOperation;
 import org.apache.pulsar.common.policies.data.TopicOperation;
 import org.apache.pulsar.common.util.RestException;
+import org.apache.pulsar.packages.management.core.MockedPackagesStorageProvider;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.testng.Assert;
@@ -174,6 +175,8 @@ public void testProducerAndConsumerAuthorization() throws Exception {
     public void testSubscriberPermission() throws Exception {
         log.info("-- Starting {} test --", methodName);
 
+        conf.setEnablePackagesManagement(true);
+        conf.setPackagesManagementStorageProvider(MockedPackagesStorageProvider.class.getName());
         conf.setAuthorizationProvider(PulsarAuthorizationProvider.class.getName());
         setup();
 
@@ -263,15 +266,33 @@ public void testSubscriberPermission() throws Exception {
             assertTrue(e.getMessage().startsWith(
                     "Unauthorized to validateNamespaceOperation for operation [UNSUBSCRIBE]"));
         }
+        try {
+            sub1Admin.namespaces().getTopics(namespace);
+            fail("should have failed with authorization exception");
+        } catch (Exception e) {
+            assertTrue(e.getMessage().startsWith(
+                    "Unauthorized to validateNamespaceOperation for operation [GET_TOPICS]"));
+        }
+        try {
+            sub1Admin.packages().listPackages("function", namespace);
+            fail("should have failed with authorization exception");
+        } catch (Exception e) {
+            assertTrue(e.getMessage().startsWith(
+                    "Role sub1-role has not the 'package' permission to do the packages operations"));
+        }
 
         // grant namespace-level authorization to the subscriptionRole
         tenantAdmin.namespaces().grantPermissionOnNamespace(namespace, subscriptionRole,
-                Collections.singleton(AuthAction.consume));
+                Sets.newHashSet(AuthAction.consume, AuthAction.packages));
 
         // now, subscriptionRole have consume authorization on namespace, so it will successfully unsubscribe namespace
         superAdmin.namespaces().unsubscribeNamespaceBundle(namespace, "0x00000000_0xffffffff", subscriptionName2);
         subscriptions = sub1Admin.topics().getSubscriptions(topicName);
         assertEquals(subscriptions.size(), 1);
+        List<String> topics = sub1Admin.namespaces().getTopics(namespace);
+        assertEquals(topics.size(), 1);
+        List<String> packages = sub1Admin.packages().listPackages("function", namespace);
+        assertEquals(packages.size(), 0);
 
         // subscriptionRole has namespace-level authorization
         sub1Admin.topics().resetCursor(topicName, subscriptionName, 10);

diff --git a/...java/org/apache/pulsar/tests/integration/auth/admin/GetTopicsOfNamespaceWithAuthTest.java b/...java/org/apache/pulsar/tests/integration/auth/admin/GetTopicsOfNamespaceWithAuthTest.java