Skip to content

[fix][security] Fix grant all permissions but can't list topic. #15501

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
codelipenghui merged 1 commit into from
May 9, 2022
Merged

[fix][security] Fix grant all permissions but can't list topic. #15501

codelipenghui merged 1 commit into from
May 9, 2022

Conversation

@Technoboy-
Copy link
Contributor

@Technoboy- Technoboy- commented May 9, 2022

Fixes #14191

Master Issue: #14191

Motivation

As #14191 described, users may get confused about the current permission.
First, we only define the below actions in the grant-permission interface:

produce,consume,sources,sinks,functions,packages

Though we grant all the actions to some roles like below (myuser is not admin, only a normal user):

$ pulsar-admin namespaces grant-permission public/default --role myuser --actions produce,consume,sources,sinks,functions,packages

But when we list topics under a namespace:

$ pulsar-admin --admin-url https://dev.pulsar.xyz.com:8081 --auth-plugin "org.apache.pulsar.client.impl.auth.AuthenticationToken" --auth-params "token:<token>" topics list public/default

We will get the below error message :

HTTP 403 : Unauthorized to validateNamespaceOperation for operation [GET_BUNDLE] on namespace [mytenant/np1]

Because when listing topics, we will search all the topics including non-persistent topics which will validate GET_BUNDLE operation, but we don't have this action in auth action, and it's not good to add to AuthAction, for it's duplicate with NamespaceOperation. So we'd better map this to consume operation to solve the problem.

Documentation

  • no-need-doc
    (Please explain why)

@Technoboy- Technoboy- self-assigned this May 9, 2022
@Technoboy- Technoboy- added this to the 2.11.0 milestone May 9, 2022
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label May 9, 2022
@Technoboy- Technoboy- added type/bug The PR fixed a bug or issue reported a bug area/security release/2.9.3 release/2.8.4 release/2.10.1 and removed doc-not-needed Your PR changes do not impact docs labels May 9, 2022
@Technoboy- Technoboy- changed the title Fix grant all permissions but can't list topic. [fix][security] Fix grant all permissions but can't list topic. May 9, 2022
@github-actions
Copy link

github-actions bot commented May 9, 2022

@Technoboy-:Thanks for your contribution. For this PR, do we need to update docs?
(The PR template contains info about doc, which helps others know more about the changes. Can you provide doc-related info in this and future PR descriptions? Thanks)

@Technoboy- Technoboy- mentioned this pull request May 9, 2022
Closed
1 task
@nicoloboschi nicoloboschi requested review from eolivelli and lhotari May 9, 2022 12:32
@codelipenghui codelipenghui merged commit 5155b1d into apache:master May 9, 2022
@nicoloboschi
Copy link
Contributor

nicoloboschi commented May 9, 2022

@Technoboy- the patch doesn't apply cleanly to 2.10. Would you mind to provide it in another pull?

@Technoboy-
Copy link
Contributor Author

Technoboy- commented May 9, 2022

@Technoboy- the patch doesn't apply cleanly to 2.10. Would you mind to provide it in another pull?

Ok.

codelipenghui pushed a commit that referenced this pull request May 20, 2022
@Technoboy- @codelipenghui
Fix grant all permissions but can't list topic. (#15501)
3dcdf2a 
(cherry picked from commit 5155b1d)
nicoloboschi pushed a commit to datastax/pulsar that referenced this pull request May 23, 2022
@Technoboy- @nicoloboschi
Fix grant all permissions but can't list topic. (apache#15501)
3739791 
(cherry picked from commit 5155b1d)
(cherry picked from commit 3dcdf2a)
@mattisonchao mattisonchao added the cherry-picked/branch-2.9 Archived: 2.9 is end of life label Jun 13, 2022
mattisonchao pushed a commit that referenced this pull request Jun 13, 2022
@Technoboy- @mattisonchao
Fix grant all permissions but can't list topic. (#15501)
6e7bd70 
(cherry picked from commit 5155b1d)
@BewareMyPower
Copy link
Contributor

BewareMyPower commented Jul 26, 2022

@Technoboy- Could you create another PR to migrate this PR to branch-2.8? The allowNamespaceOperationAsync method is very different in branch-2.8.

pulsar/pulsar-broker-common/src/main/java/org/apache/pulsar/broker/authorization/PulsarAuthorizationProvider.java

Lines 530 to 555 in bb8c945

public CompletableFuture<Boolean> allowNamespaceOperationAsync(NamespaceName namespaceName,
String role,
NamespaceOperation operation,
AuthenticationDataSource authData) {
CompletableFuture<Boolean> isAuthorizedFuture;
switch (operation) {
case PACKAGES:
isAuthorizedFuture = allowTheSpecifiedActionOpsAsync(namespaceName, role, authData, AuthAction.packages);
break;
case GET_TOPICS:
case UNSUBSCRIBE:
case CLEAR_BACKLOG:
isAuthorizedFuture = allowTheSpecifiedActionOpsAsync(namespaceName, role, authData, AuthAction.consume);
break;
default:
isAuthorizedFuture = CompletableFuture.completedFuture(false);
}
CompletableFuture<Boolean> isTenantAdminFuture = validateTenantAdminAccess(namespaceName.getTenant(), role, authData);
return isTenantAdminFuture.thenCombine(isAuthorizedFuture, (isTenantAdmin, isAuthorized) -> {
if (log.isDebugEnabled()) {
log.debug("Verify if role {} is allowed to {} to topic {}: isTenantAdmin={}, isAuthorized={}",
role, operation, namespaceName, isTenantAdmin, isAuthorized);
}
return isTenantAdmin || isAuthorized;
});
}

@BewareMyPower BewareMyPower mentioned this pull request Jul 28, 2022
Merged
1 task
This was referenced Jul 28, 2022
Merged
Merged
BewareMyPower pushed a commit that referenced this pull request Jul 28, 2022
@Technoboy- @BewareMyPower
Fix grant all permissions but can't list topic. (#15501)
e3ac4fb 
(cherry picked from commit 5155b1d)
@BewareMyPower BewareMyPower added the cherry-picked/branch-2.8 Archived: 2.8 is end of life label Jul 28, 2022
@Technoboy- Technoboy- deleted the fix-authorization-issue-1 branch August 10, 2022 05:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@codelipenghui codelipenghui codelipenghui approved these changes

@nicoloboschi nicoloboschi nicoloboschi approved these changes

@mattisonchao mattisonchao mattisonchao approved these changes

@eolivelli eolivelli Awaiting requested review from eolivelli

@lhotari lhotari Awaiting requested review from lhotari

Assignees

@Technoboy- Technoboy-

Labels

area/security cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 release/2.8.4 release/2.9.3 release/2.10.1 type/bug The PR fixed a bug or issue reported a bug

Projects

None yet

Milestone

2.11.0

Development

Successfully merging this pull request may close these issues.

NonPersistentTopics - [myuser] Failed to get list of topics under namespace public/default

5 participants

@Technoboy- @nicoloboschi @BewareMyPower @codelipenghui @mattisonchao