Skip to content

[fix][authorization] Fix multiple roles authorization #16645

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Technoboy- merged 1 commit into from
Jul 25, 2022
Merged

[fix][authorization] Fix multiple roles authorization #16645

Technoboy- merged 1 commit into from
Jul 25, 2022

Conversation

@nodece
Copy link
Member

@nodece nodece commented Jul 18, 2022
edited
Loading

Fixes #16574

Motivation

The MultiRolesTokenAuthorizationProvider cannot handle the superuser and tenant admin correctly. It only checks if the role passed in is a superuser, which is incorrect. The correct way is to get a role list from authentication data and then check if the role list contains a superuser.

Modifications

  • Override the isSuperAdmin
  • Override the validateTenantAdminAccess
  • Add test for the MultiRolesTokenAuthorizationProvider

Documentation

  • doc-not-needed

@nodece nodece requested a review from RobertIndie July 18, 2022 07:32
@nodece nodece mentioned this pull request Jul 18, 2022
Closed
@github-actions github-actions bot added the doc-not-needed Your PR changes do not impact docs label Jul 18, 2022
@nodece nodece self-assigned this Jul 18, 2022
@nodece nodece added cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 component/authorization type/bug The PR fixed a bug or issue reported a bug labels Jul 18, 2022
@nodece nodece removed cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 labels Jul 18, 2022
@nodece
[fix][authorization] Fix multiple roles authorization
224ca1b 
Signed-off-by: Zixuan Liu <nodeces@gmail.com>
@nodece nodece force-pushed the fix-multiple-roles-authz branch from 0d67b5d to 224ca1b Compare July 18, 2022 10:35
@nodece nodece requested a review from Technoboy- July 18, 2022 10:35
Technoboy-
Technoboy- reviewed Jul 25, 2022
View reviewed changes
...c/main/java/org/apache/pulsar/broker/authorization/MultiRolesTokenAuthorizationProvider.java
throw new RestException(Response.Status.NOT_FOUND, "Tenant does not exist");
}
log.error("Failed to get tenant {}", tenantName, cause);
throw new RestException(cause);
Copy link
Contributor

@Technoboy- Technoboy- Jul 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If line 129 throws RestException, will here wrap to new RestException(RestException ...) ?

Copy link
Member Author

@nodece nodece Jul 25, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RestException can get the real exception.

public RestException(Throwable t) {
        super(getResponse(t));
    }

    private static Response getResponse(Throwable t) {
        if (t instanceof WebApplicationException) {
            WebApplicationException e = (WebApplicationException) t;
            return e.getResponse();
        } else {
            return Response
                .status(Status.INTERNAL_SERVER_ERROR)
                .entity(getExceptionData(t))
                .type(MediaType.TEXT_PLAIN)
                .build();
        }
    }

@nodece nodece requested a review from Technoboy- July 25, 2022 09:49
@Technoboy- Technoboy- merged commit d8483d4 into apache:master Jul 25, 2022
@BewareMyPower
Copy link
Contributor

BewareMyPower commented Aug 1, 2022

This PR relies on the TenantResources#getTenantAsync method, which relies on the BaseResources#joinPath method that I tried to migrate in #16867. Could you help review that PR so that I can continue cherry-picking and resolving the conflicts?

@nodece
Copy link
Member Author

nodece commented Aug 1, 2022

@BewareMyPower Done.

@nodece nodece deleted the fix-multiple-roles-authz branch August 1, 2022 10:01
BewareMyPower pushed a commit that referenced this pull request Aug 5, 2022
@nodece @BewareMyPower
[fix][authorization] Fix multiple roles authorization (#16645)
735e823 
(cherry picked from commit d8483d4)
@BewareMyPower BewareMyPower added the cherry-picked/branch-2.8 Archived: 2.8 is end of life label Aug 5, 2022
codelipenghui pushed a commit that referenced this pull request Aug 8, 2022
@nodece @codelipenghui
[fix][authorization] Fix multiple roles authorization (#16645)
38be99c 
(cherry picked from commit d8483d4)
@mattisonchao mattisonchao added the cherry-picked/branch-2.9 Archived: 2.9 is end of life label Aug 10, 2022
mattisonchao pushed a commit that referenced this pull request Aug 10, 2022
@nodece @mattisonchao
[fix][authorization] Fix multiple roles authorization (#16645)
0cc42d9 
(cherry picked from commit d8483d4)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RobertIndie RobertIndie RobertIndie approved these changes

@coderzc coderzc coderzc approved these changes

@codelipenghui codelipenghui Awaiting requested review from codelipenghui

@mattisonchao mattisonchao Awaiting requested review from mattisonchao

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

Assignees

@nodece nodece

Labels

area/authn cherry-picked/branch-2.8 Archived: 2.8 is end of life cherry-picked/branch-2.9 Archived: 2.9 is end of life cherry-picked/branch-2.10 doc-not-needed Your PR changes do not impact docs release/2.8.4 release/2.9.4 release/2.10.2 type/bug The PR fixed a bug or issue reported a bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MultiRolesTokenAuthorizationProvider only authorizes first role (at least for superuser)

8 participants

@nodece @BewareMyPower @Technoboy- @RobertIndie @coderzc @codelipenghui @tisonkun @mattisonchao